Cyrus Katrak: > https://github.com/kr36/seaturtle > > At a high level: > - Process per tab security model, with each tab owning it's own in-memory > state (cache, cookies, local storage, hsts db etc...). We've been going for URL bar domain isolation in Tor Browser to avoid divergence with how users expect the browser to behave: https://www.torproject.org/projects/torbrowser/design/#philosophy https://www.torproject.org/projects/torbrowser/design/#identifier-linkability Even still, per-tab isolation is a common request, so it's easy to assume that this is what most people really want. But I think if you think through how it will work in practice, it becomes fairly clear it's actually a very bad property for usability. The easiest way to see how per-tab isolation will cause confusion is to imagine the twitter use case. In a normal twitter user flow, the user logs in to twitter, opens some lists and conversations (often in new tabs), perhaps opens tweetdeck in a new tab, follows links from people in their feed, and sends and receives twitter conversation links from their friends over DM, chat, IRC, and email. If each these actions happens in a new, isolated tab, the user will be forced to log in repeatedly to twitter, and worse, forget which tabs they logged in to twitter on, especially once they start following links (both on and off site) from people's feeds. Is Tor Browser-style url bar domain isolation also possible to achieve with simple configuration, or did you just go per-tab because the Chromium plumbing was already set up to make per-tab isolation easy? I see a cookie policy file that appears to block third party cookies, but I don't see the per-tab isolation mechanism in the source. > - Efficiently integrated HTTPS Everywhere rules. > - Addresses some fingerprint-ability issues: Disabled geolocation, webgl, > accelerated <canvas>, static user agent, etc. Are these also simple prefs? > - Single tap to start a bundled Tor binary, and properly configure the > browsers proxy settings. Gave a fair amount of thought to UX and polish. Do you interact with the Tor Control port at all here? Or do you just re-write the torrc? Where is your tor handling located in the code? > It's still early days, only builds for Android at the moment. Nobody has > seriously reviewed the code or black box tested. Lots of fingerprint > mitigation work still remains. Hoping to get feedback and suggestions for > improvement, and help. It looks like you've seen the Tor Browser design doc and the important Chrome Bugs links, but I'd like to point these sections out again as they have recently been updated: https://trac.torproject.org/projects/tor/wiki/doc/ImportantGoogleChromeBugs#ProxyBypassBugs and https://www.torproject.org/projects/torbrowser/design/#fingerprinting-linkability In particular, that fingerprinting section was just updated this past weekend. I also have an OpenWRT configuration I can give you to monitor for proxy leaks on an upstream router, but you need to be able to configure Tor Bridges to make use of it. -- Mike Perry
Attachment:
signature.asc
Description: Digital signature
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk