[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-commits] r25161: {website} Comments from Georg + proxy settings audit details. (website/trunk/projects/torbrowser/design)



Author: mikeperry
Date: 2011-10-11 22:27:30 +0000 (Tue, 11 Oct 2011)
New Revision: 25161

Modified:
   website/trunk/projects/torbrowser/design/index.html.en
Log:
Comments from Georg + proxy settings audit details.



Modified: website/trunk/projects/torbrowser/design/index.html.en
===================================================================
--- website/trunk/projects/torbrowser/design/index.html.en	2011-10-10 18:49:17 UTC (rev 25160)
+++ website/trunk/projects/torbrowser/design/index.html.en	2011-10-11 22:27:30 UTC (rev 25161)
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
-<html xmlns="http://www.w3.org/1999/xhtml";><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>The Design and Implementation of the Tor Browser [DRAFT]</title><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /></head><body><div class="article" title="The Design and Implementation of the Tor Browser [DRAFT]"><div class="titlepage"><div><div><h2 class="title"><a id="design"></a>The Design and Implementation of the Tor Browser [DRAFT]</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Mike</span> <span class="surname">Perry</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:mikeperry#torproject org">mikeperry#torprojectÂorg</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Erinn</span> <span class="surname">Clark</span></h3><div class="affiliation"><div class="address"><p><code class=
 "email">&lt;<a class="email" href="mailto:erinn#torproject org">erinn#torprojectÂorg</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Steven</span> <span class="surname">Murdoch</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:sjmurdoch#torproject org">sjmurdoch#torprojectÂorg</a>&gt;</code></p></div></div></div></div><div><p class="pubdate">Oct 7 2011</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#id2898146">1. Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="#adversary">1.1. Adversary Model</a></span></dt></dl></dd><dt><span class="sect1"><a href="#DesignRequirements">2. Design Requirements and Philosophy</a></span></dt><dd><dl><dt><span class="sect2"><a href="#security">2.1. Security Requirements</a></span></dt><dt><span class="sect2"><a href="#privacy">2.2. Pri
 vacy Requirements</a></span></dt><dt><span class="sect2"><a href="#philosophy">2.3. Philosophy</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Implementation">3. Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="#proxy-obedience">3.1. Proxy Obedience</a></span></dt><dt><span class="sect2"><a href="#state-separation">3.2. State Separation</a></span></dt><dt><span class="sect2"><a href="#disk-avoidance">3.3. Disk Avoidance</a></span></dt><dt><span class="sect2"><a href="#app-data-isolation">3.4. Application Data Isolation</a></span></dt><dt><span class="sect2"><a href="#identifier-linkability">3.5. Cross-Origin Identifier Unlinkability</a></span></dt><dt><span class="sect2"><a href="#fingerprinting-linkability">3.6. Cross-Origin Fingerprinting Unlinkability</a></span></dt><dt><span class="sect2"><a href="#new-identity">3.7. Long-Term Unlinkability via "New Identity" button</a></span></dt><dt><span class="sect2"><a href="#click-to-play">3.8. Clic
 k-to-play for plugins and invasive content</a></span></dt><dt><span class="sect2"><a href="#firefox-patches">3.9. Description of Firefox Patches</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Packaging">4. Packaging</a></span></dt><dd><dl><dt><span class="sect2"><a href="#build-security">4.1. Build Process Security</a></span></dt><dt><span class="sect2"><a href="#addons">4.2. External Addons</a></span></dt><dt><span class="sect2"><a href="#prefs">4.3. Pref Changes</a></span></dt><dt><span class="sect2"><a href="#update-mechanism">4.4. Update Security</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Testing">5. Testing</a></span></dt><dd><dl><dt><span class="sect2"><a href="#SingleStateTesting">5.1. Single state testing</a></span></dt></dl></dd></dl></div><div class="sect1" title="1.ÂIntroduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2898146"></a>1.ÂIntroduction</h2></div></div></div><p>
+<html xmlns="http://www.w3.org/1999/xhtml";><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>The Design and Implementation of the Tor Browser [DRAFT]</title><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /></head><body><div class="article" title="The Design and Implementation of the Tor Browser [DRAFT]"><div class="titlepage"><div><div><h2 class="title"><a id="design"></a>The Design and Implementation of the Tor Browser [DRAFT]</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Mike</span> <span class="surname">Perry</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:mikeperry#torproject org">mikeperry#torprojectÂorg</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Erinn</span> <span class="surname">Clark</span></h3><div class="affiliation"><div class="address"><p><code class=
 "email">&lt;<a class="email" href="mailto:erinn#torproject org">erinn#torprojectÂorg</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Steven</span> <span class="surname">Murdoch</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:sjmurdoch#torproject org">sjmurdoch#torprojectÂorg</a>&gt;</code></p></div></div></div></div><div><p class="pubdate">Oct 11 2011</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#id2869610">1. Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="#adversary">1.1. Adversary Model</a></span></dt></dl></dd><dt><span class="sect1"><a href="#DesignRequirements">2. Design Requirements and Philosophy</a></span></dt><dd><dl><dt><span class="sect2"><a href="#security">2.1. Security Requirements</a></span></dt><dt><span class="sect2"><a href="#privacy">2.2. Pr
 ivacy Requirements</a></span></dt><dt><span class="sect2"><a href="#philosophy">2.3. Philosophy</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Implementation">3. Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="#proxy-obedience">3.1. Proxy Obedience</a></span></dt><dt><span class="sect2"><a href="#state-separation">3.2. State Separation</a></span></dt><dt><span class="sect2"><a href="#disk-avoidance">3.3. Disk Avoidance</a></span></dt><dt><span class="sect2"><a href="#app-data-isolation">3.4. Application Data Isolation</a></span></dt><dt><span class="sect2"><a href="#identifier-linkability">3.5. Cross-Origin Identifier Unlinkability</a></span></dt><dt><span class="sect2"><a href="#fingerprinting-linkability">3.6. Cross-Origin Fingerprinting Unlinkability</a></span></dt><dt><span class="sect2"><a href="#new-identity">3.7. Long-Term Unlinkability via "New Identity" button</a></span></dt><dt><span class="sect2"><a href="#click-to-play">3.8. Cli
 ck-to-play for plugins and invasive content</a></span></dt><dt><span class="sect2"><a href="#firefox-patches">3.9. Description of Firefox Patches</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Packaging">4. Packaging</a></span></dt><dd><dl><dt><span class="sect2"><a href="#build-security">4.1. Build Process Security</a></span></dt><dt><span class="sect2"><a href="#addons">4.2. External Addons</a></span></dt><dt><span class="sect2"><a href="#prefs">4.3. Pref Changes</a></span></dt><dt><span class="sect2"><a href="#update-mechanism">4.4. Update Security</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Testing">5. Testing</a></span></dt><dd><dl><dt><span class="sect2"><a href="#SingleStateTesting">5.1. Single state testing</a></span></dt></dl></dd></dl></div><div class="sect1" title="1.ÂIntroduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2869610"></a>1.ÂIntroduction</h2></div></div></div><p>
 
 This document describes the <a class="link" href="#adversary" title="1.1.ÂAdversary Model">adversary model</a>,
 <a class="link" href="#DesignRequirements" title="2.ÂDesign Requirements and Philosophy">design requirements</a>,
@@ -394,6 +394,22 @@
 SOCKS proxy. It sets <span class="command"><strong>network.proxy.socks_remote_dns</strong></span>,
 <span class="command"><strong>network.proxy.socks_version</strong></span>, and
 <span class="command"><strong>network.proxy.socks_port</strong></span>.
+ </p><p>
+
+We have verified that these settings properly proxy HTTPS, OCSP, HTTP, FTP,
+gopher (now defunct), DNS, SafeBrowsing Queries, all javascript activity,
+including HTML5 audio and video objects, addon updates, wifi geolocation
+queries, searchbox queries, XPCOM addon HTTPS/HTTP activity, and live bookmark
+updates. We have also verified that IPv6 connections are not attempted,
+through the proxy or otherwise (Tor does not yet support IPv6). We have also
+verified that external protocol helpers, such as smb urls and other custom
+protocol handers are all blocked.
+
+ </p><p>
+
+Numerous other third parties have also reviewed and <a class="link" href="#SingleStateTesting" title="5.1.ÂSingle state testing">tested</a> the proxy settings
+and have provided test cases based on their work. See in particular <a class="ulink" href="http://decloak.net/"; target="_top">decloak.net</a>. 
+
  </p></li><li class="listitem">Disabling plugins
 
  <p>Plugins have the ability to make arbitrary OS system calls and  <a class="ulink" href="http://decloak.net/"; target="_top">bypass proxy settings</a>. This includes
@@ -428,13 +444,13 @@
 Tor Browser State is separated from existing browser state through use of a
 custom Firefox profile. Furthermore, plugins are disabled, which prevents
 Flash cookies from leaking from a pre-existing Flash directory.
-   </p></div><div class="sect2" title="3.3.ÂDisk Avoidance"><div class="titlepage"><div><div><h3 class="title"><a id="disk-avoidance"></a>3.3.ÂDisk Avoidance</h3></div></div></div><div class="sect3" title="Design Goal:"><div class="titlepage"><div><div><h4 class="title"><a id="id2914975"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
+   </p></div><div class="sect2" title="3.3.ÂDisk Avoidance"><div class="titlepage"><div><div><h3 class="title"><a id="disk-avoidance"></a>3.3.ÂDisk Avoidance</h3></div></div></div><div class="sect3" title="Design Goal:"><div class="titlepage"><div><div><h4 class="title"><a id="id2901874"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
 Tor Browser MUST (at user option) prevent all disk records of browser activity.
 The user should be able to optionally enable URL history and other history
 features if they so desire. Once we <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3100"; target="_top">simplify the
 preferences interface</a>, we will likely just enable Private Browsing
 mode by default to handle this goal.
-    </blockquote></div></div><div class="sect3" title="Implementation Status:"><div class="titlepage"><div><div><h4 class="title"><a id="id2914438"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
+    </blockquote></div></div><div class="sect3" title="Implementation Status:"><div class="titlepage"><div><div><h4 class="title"><a id="id2878481"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
 For now, Tor Browser blocks write access to the disk through Torbutton
 using several Firefox preferences. 
 
@@ -499,7 +515,7 @@
 context-menu option to drill down into specific types of state or permissions.
 An example of this simplification can be seen in Figure 1.
 
-   </p><div class="figure"><a id="id2911396"></a><p class="title"><b>FigureÂ1.ÂImproving the Privacy UI</b></p><div class="figure-contents"><div class="mediaobject" align="center"><img src="CookieManagers.png" align="middle" alt="Improving the Privacy UI" /></div><div class="caption"><p></p>
+   </p><div class="figure"><a id="id2898980"></a><p class="title"><b>FigureÂ1.ÂImproving the Privacy UI</b></p><div class="figure-contents"><div class="mediaobject" align="center"><img src="CookieManagers.png" align="middle" alt="Improving the Privacy UI" /></div><div class="caption"><p></p>
 
 On the left is the standard Firefox cookie manager. On the right is a mock-up
 of how isolating identifiers to the URL bar origin might simplify the privacy
@@ -522,7 +538,7 @@
 As a stopgap to satisfy our design requirement of unlinkability, we currently
 entirely disable 3rd party cookies by setting
 <span class="command"><strong>network.cookie.cookieBehavior</strong></span> to 1. We would prefer that
-third party content continue to function , but we believe the requirement for 
+third party content continue to function, but we believe the requirement for 
 unlinkability trumps that desire.
 
      </p></li><li class="listitem">Cache
@@ -609,10 +625,12 @@
 
      </p><p><span class="command"><strong>Implementation Status:</strong></span>
 
-We <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/4099"; target="_top">plan to
-disable</a> TLS session resumption, and limit HTTP Keep-alive duration. We
-currently clear TLS Session IDs upon <a class="link" href="#new-identity" title="3.7.ÂLong-Term Unlinkability via &quot;New Identity&quot; button">New
-Identity</a>.
+We currently clear TLS Session IDs upon <a class="link" href="#new-identity" title="3.7.ÂLong-Term Unlinkability via &quot;New Identity&quot; button">New
+Identity</a>, but we have no origin restriction implementation as of yet.
+We plan to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/4099"; target="_top">disable TLS session
+resumption</a>, and limit HTTP Keep-alive duration as stopgaps to limit
+linkability until we can implement <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/4100"; target="_top">true origin
+isolation</a> (the latter we feel will be fairly tricky).
 
      </p></li><li class="listitem">User confirmation for cross-origin redirects
     <p><span class="command"><strong>Design Goal:</strong></span>
@@ -921,11 +939,11 @@
      </p></li></ol></div></div><div class="sect2" title="3.7.ÂLong-Term Unlinkability via &quot;New Identity&quot; button"><div class="titlepage"><div><div><h3 class="title"><a id="new-identity"></a>3.7.ÂLong-Term Unlinkability via "New Identity" button</h3></div></div></div><p>
 In order to avoid long-term linkability, we provide a "New Identity" context
 menu option in Torbutton.
-   </p><div class="sect3" title="Design Goal:"><div class="titlepage"><div><div><h4 class="title"><a id="id2910661"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
+   </p><div class="sect3" title="Design Goal:"><div class="titlepage"><div><div><h4 class="title"><a id="id2857700"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
 
 All linkable identifiers and browser state MUST be cleared by this feature.
 
-    </blockquote></div></div><div class="sect3" title="Implementation Status:"><div class="titlepage"><div><div><h4 class="title"><a id="id2888916"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
+    </blockquote></div></div><div class="sect3" title="Implementation Status:"><div class="titlepage"><div><div><h4 class="title"><a id="id2877575"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
 
    First, Torbutton disables all open tabs and windows via nsIContentPolicy
 blocking, and then closes each tab and window. The extra step for blocking
@@ -1024,7 +1042,7 @@
 This patch prevents random URLs from being inserted into content-prefs.sqllite in
 the profile directory as content prefs change (includes site-zoom and perhaps
 other site prefs?).
-     </p></li></ol></div></div></div><div class="sect1" title="4.ÂPackaging"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Packaging"></a>4.ÂPackaging</h2></div></div></div><p> </p><div class="sect2" title="4.1.ÂBuild Process Security"><div class="titlepage"><div><div><h3 class="title"><a id="build-security"></a>4.1.ÂBuild Process Security</h3></div></div></div><p> </p></div><div class="sect2" title="4.2.ÂExternal Addons"><div class="titlepage"><div><div><h3 class="title"><a id="addons"></a>4.2.ÂExternal Addons</h3></div></div></div><p> </p><div class="sect3" title="Included Addons"><div class="titlepage"><div><div><h4 class="title"><a id="id2924325"></a>Included Addons</h4></div></div></div></div><div class="sect3" title="Excluded Addons"><div class="titlepage"><div><div><h4 class="title"><a id="id2896172"></a>Excluded Addons</h4></div></div></div></div><div class="sect3" title="Dangerous Addons"><div class="titlepage"><div><div><h4 cla
 ss="title"><a id="id2917044"></a>Dangerous Addons</h4></div></div></div></div></div><div class="sect2" title="4.3.ÂPref Changes"><div class="titlepage"><div><div><h3 class="title"><a id="prefs"></a>4.3.ÂPref Changes</h3></div></div></div><p> </p></div><div class="sect2" title="4.4.ÂUpdate Security"><div class="titlepage"><div><div><h3 class="title"><a id="update-mechanism"></a>4.4.ÂUpdate Security</h3></div></div></div><p> </p></div></div><div class="sect1" title="5.ÂTesting"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Testing"></a>5.ÂTesting</h2></div></div></div><p>
+     </p></li></ol></div></div></div><div class="sect1" title="4.ÂPackaging"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Packaging"></a>4.ÂPackaging</h2></div></div></div><p> </p><div class="sect2" title="4.1.ÂBuild Process Security"><div class="titlepage"><div><div><h3 class="title"><a id="build-security"></a>4.1.ÂBuild Process Security</h3></div></div></div><p> </p></div><div class="sect2" title="4.2.ÂExternal Addons"><div class="titlepage"><div><div><h3 class="title"><a id="addons"></a>4.2.ÂExternal Addons</h3></div></div></div><p> </p><div class="sect3" title="Included Addons"><div class="titlepage"><div><div><h4 class="title"><a id="id2889516"></a>Included Addons</h4></div></div></div></div><div class="sect3" title="Excluded Addons"><div class="titlepage"><div><div><h4 class="title"><a id="id2875722"></a>Excluded Addons</h4></div></div></div></div><div class="sect3" title="Dangerous Addons"><div class="titlepage"><div><div><h4 cla
 ss="title"><a id="id2861148"></a>Dangerous Addons</h4></div></div></div></div></div><div class="sect2" title="4.3.ÂPref Changes"><div class="titlepage"><div><div><h3 class="title"><a id="prefs"></a>4.3.ÂPref Changes</h3></div></div></div><p> </p></div><div class="sect2" title="4.4.ÂUpdate Security"><div class="titlepage"><div><div><h3 class="title"><a id="update-mechanism"></a>4.4.ÂUpdate Security</h3></div></div></div><p> </p></div></div><div class="sect1" title="5.ÂTesting"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Testing"></a>5.ÂTesting</h2></div></div></div><p>
 
 The purpose of this section is to cover all the known ways that Tor browser
 security can be subverted from a penetration testing perspective. The hope

_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits