[tor-talk] A secure browsing model?

Mike Perry mikeperry at torproject.org
Sat Jan 21 04:49:36 UTC 2012

Thus spake Andrew Lewman (andrew at torproject.org):

> On Thu, 19 Jan 2012 23:27:54 -0800
> Mike Perry <mikeperry at torproject.org> wrote:
> > See:
> > https://www.torproject.org/projects/torbrowser/design/#privacy
> > 
> > Is that too technical? How can I improve the design document so that
> > it is more clear that it is exactly what you're looking for?
> This came up in a support phone call recently. The question asked
> was, "Can I login to my igoogle through tbb and still search in a new
> tab without logging in, and keep the search terms separate from the
> obviously identified igoogle tab?"

Yeah, I was thinking that we may want to make a human version of the
design document for use on the main website. It should be a short
description of the url bar origin isolation idea in plain english, and
introduce the "New Identity" concept, perhaps with some images.

In fact, I think the new Firefox 4.0+ URL bar hostname shaddowing
already suggests subdomain-based isolation. They did it for SSL
awareness and related phishing issues, but it helps suggest our
privacy properties too. 

I think the most surprising thing to laypeople will be "Hey wait, you
mean Google *could* somehow know what I'm doing on twiter in my normal
browser?" The answer, of course, is that Google can and does (at least
at some level). In fact, I'm not aware of too many big web players
that don't have this ability in all existing browsers other than TBB.
We need to make this fact quite clear, I think.

> The design doc isn't crystal clear here. It is clear that bing.com
> searches will not leak to igoogle page, but not clear if
> encrypted.google.com searches leak to www.google.com/ig and vice versa.

You're right, on a more technical level we need to tighten some
definitions. Unfortunately, the underlying implementation for each
identifier storage is not always uniform between FQDNs versus
subdomains. But, this could just mean we take the loosest definition.
Ie, in most cases mail.google.com can track you on
encrypted.google.com, but mail.google.com can't track you on

Mike Perry
Exterminate all dogma.
Permit no exceptions.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20120120/4a2d38fa/attachment.pgp>

More information about the tor-talk mailing list