[or-cvs] [torbutton/maint-1.2] Add notes from chrome incognito review.

[mikeperry@xxxxxxxx]

Author: Mike Perry <mikeperry-git@xxxxxxxxxx>
Date: Tue, 13 Oct 2009 15:42:30 -0700
Subject: Add notes from chrome incognito review.
Commit: 745eb740b5a84e65cd2b7c8e922b5987f7b0e1ac

---
 website/design/CHROME_NOTES |  120 +++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 120 insertions(+), 0 deletions(-)
 create mode 100644 website/design/CHROME_NOTES

diff --git a/website/design/CHROME_NOTES b/website/design/CHROME_NOTES
new file mode 100644
index 0000000..5142453
--- /dev/null
+++ b/website/design/CHROME_NOTES
@@ -0,0 +1,120 @@
+- Investigation of Privacy Mode:
+  - Good:
+    - Cookies Cleared+memory only
+    - Cache cleared and memory-only
+    - History not available via javascript or CSS
+    - Safe because currently unsupported:
+      - Geolocation not supported in browser
+      - DOM Storage not supported
+      - HTML5 Storage not supported
+    - Http auth is cleared
+    - Do they have a session store?
+      - Yes. It is disabled.
+    - Form history disabled
+      - But non-private entries still available
+    - Malware and phishing protection
+      - Per-url check?
+        - Doesn't seem like it..
+  - Bad:
+    - RLZ Identifier sent with all queries even in Incognito mode
+      - http://www.google.com/support/chrome/bin/answer.py?hl=en&answer=107684
+    - Flash cookies not cleared
+    - Google gears are still available
+      - Do they have their own storage?
+        - Yes. Completely ignores private mode.
+    - Safebrowsing API key not cleared?
+      - but updates may not happen "under" the incognito window
+    - Desktop resolution available
+    - Browser resolution is available
+    - SSL session keys
+      - Not cleared!
+      - They clear trusted certs tho
+    - Timezone not spoofed
+
+- Misc Features we definitely need:
+  - Incognito-specific proxy settings
+    - Browser proxy settings currently do not apply immediately
+  - Plugin enable/disable controls
+  - Spoof user agent
+  - Referer alteration API
+  - Autolaunching of remote apps needs to be disabled
+  - API to opt-out of all the opt-in tracking for incognito mode
+  - Cookie API would be nice
+  - Need network.security.ports.banned
+    - http://www.remote.org/jochen/sec/hfpa/hfpa.pdf
+  - Resize windows (content-window side possibly ok)
+
+- Future investigation
+  - Non-private form history still available
+    - Forms seem to not be auto-filled, but this may be different
+      for some fields?
+  - How evil is google update? will it happen over incognito?
+    - http://en.wikipedia.org/wiki/Google_Updater#Google_Updater
+    - http://en.wikipedia.org/wiki/SRWare_Iron#Differences_from_Chrome
+    - http://foliovision.com/2008/12/09/adwords-ppc-organic-rlz/
+  - Test in more detail with sysinternals for disk writes
+  - What about safebrowsing requests? Can they bypass proxy?
+  - Video tag supports H264 and ogg via ffmpeg
+    - Hrmm.. proxy bypass ability?
+
+- Test results. Used Incognito Mode with the test suites from:
+  https://www.torproject.org/torbutton/design/#SingleStateTesting
+  - Decloak.net:
+    - Recovers IP and DNS via Java
+    - Recovers IP via flash
+  - Deanonymizer.com
+    - Failed NNTP and FTP quicktime
+  - JohnDo's hated some headers
+  - Mr. T got a lot of shit wrong...
+  - http://labs.isecpartners.com/breadcrumbs/breadcrumbs.html
+
+- Comparison with Torora
+  - http://github.com/mwenge/torora/tree/master/doc/DESIGN.torora
+  - Good ideas for both chrome and torbutton:
+    - Cache/Cookie expiry every 24hrs
+    - Random preturbation on Date() object..
+      - No longer possible without js hooks :/
+      - Possible if Chrome allows non-delatable shadowing of window.Date()
+        from user scripts. ECMA says it should
+
+==========================================
+
+- Incognito Issues:
+  - SSL session keys
+    - Not cleared!
+  - Flash cookies not cleared
+    - Better Privacy? Permissions?
+  - Google gears are still available
+    - Do they have their own storage?
+      - Yes. Completely ignores private mode.
+  - RLZ override/disable for incognito
+  - Opt out of opt-in tracking?
+  - Source code:
+    http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/profile.cc
+
+- Privacy Enhancing API Wishlist (remove existing items):
+  - http://code.google.com/chrome/extensions/devguide.html
+  - Prefs (copy-on-write for incognito mode)
+    - Incognito-specific proxy settings
+      - Should not be used for safebrowsing or app/addon update
+    - pref to disable autolaunch of apps/warn user
+    - network.security.ports.banned
+    - User agent (that also govern navigator.*)
+      - could be done (better) via http headers and good hook support
+  - Core APIs:
+    - Per-Plugin enable/disable controls
+    - Cookie API
+    - Cache control
+    - HTTP header alteration ("on-modify-request")
+      - Referrer, accept, user agent
+  - Javascript hooks:
+    - http://code.google.com/chrome/extensions/content_scripts.html
+      - Bleh, these suck... Too limited.
+    - ECMA compliance
+    - desktop+screen resolution
+    - Date hooking
+    - navigator.* hooking
+
+- Posted at:
+  - http://groups.google.com/group/chromium-extensions/t/ceba26ca9e2f6a78
+
-- 
1.5.6.5