[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-commits] r25175: {website} Update TBB design doc w/ an intro to the implementation sect (website/trunk/projects/torbrowser/design)
Author: mikeperry
Date: 2011-10-19 04:40:12 +0000 (Wed, 19 Oct 2011)
New Revision: 25175
Modified:
website/trunk/projects/torbrowser/design/index.html.en
Log:
Update TBB design doc w/ an intro to the implementation
section and some internal hyperlinks.
Modified: website/trunk/projects/torbrowser/design/index.html.en
===================================================================
--- website/trunk/projects/torbrowser/design/index.html.en 2011-10-18 13:35:40 UTC (rev 25174)
+++ website/trunk/projects/torbrowser/design/index.html.en 2011-10-19 04:40:12 UTC (rev 25175)
@@ -1,6 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>The Design and Implementation of the Tor Browser [DRAFT]</title><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /></head><body><div class="article" title="The Design and Implementation of the Tor Browser [DRAFT]"><div class="titlepage"><div><div><h2 class="title"><a id="design"></a>The Design and Implementation of the Tor Browser [DRAFT]</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Mike</span> <span class="surname">Perry</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:mikeperry#torproject org">mikeperry#torprojectÂorg</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Erinn</span> <span class="surname">Clark</span></h3><div class="affiliation"><div class="address"><p><code class=
"email"><<a class="email" href="mailto:erinn#torproject org">erinn#torprojectÂorg</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Steven</span> <span class="surname">Murdoch</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:sjmurdoch#torproject org">sjmurdoch#torprojectÂorg</a>></code></p></div></div></div></div><div><p class="pubdate">Oct 11 2011</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#id2869610">1. Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="#adversary">1.1. Adversary Model</a></span></dt></dl></dd><dt><span class="sect1"><a href="#DesignRequirements">2. Design Requirements and Philosophy</a></span></dt><dd><dl><dt><span class="sect2"><a href="#security">2.1. Security Requirements</a></span></dt><dt><span class="sect2"><a href="#privacy">2.2. Pr
ivacy Requirements</a></span></dt><dt><span class="sect2"><a href="#philosophy">2.3. Philosophy</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Implementation">3. Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="#proxy-obedience">3.1. Proxy Obedience</a></span></dt><dt><span class="sect2"><a href="#state-separation">3.2. State Separation</a></span></dt><dt><span class="sect2"><a href="#disk-avoidance">3.3. Disk Avoidance</a></span></dt><dt><span class="sect2"><a href="#app-data-isolation">3.4. Application Data Isolation</a></span></dt><dt><span class="sect2"><a href="#identifier-linkability">3.5. Cross-Origin Identifier Unlinkability</a></span></dt><dt><span class="sect2"><a href="#fingerprinting-linkability">3.6. Cross-Origin Fingerprinting Unlinkability</a></span></dt><dt><span class="sect2"><a href="#new-identity">3.7. Long-Term Unlinkability via "New Identity" button</a></span></dt><dt><span class="sect2"><a href="#click-to-play">3.8. Cli
ck-to-play for plugins and invasive content</a></span></dt><dt><span class="sect2"><a href="#firefox-patches">3.9. Description of Firefox Patches</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Packaging">4. Packaging</a></span></dt><dd><dl><dt><span class="sect2"><a href="#build-security">4.1. Build Process Security</a></span></dt><dt><span class="sect2"><a href="#addons">4.2. External Addons</a></span></dt><dt><span class="sect2"><a href="#prefs">4.3. Pref Changes</a></span></dt><dt><span class="sect2"><a href="#update-mechanism">4.4. Update Security</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Testing">5. Testing</a></span></dt><dd><dl><dt><span class="sect2"><a href="#SingleStateTesting">5.1. Single state testing</a></span></dt></dl></dd></dl></div><div class="sect1" title="1.ÂIntroduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2869610"></a>1.ÂIntroduction</h2></div></div></div><p>
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>The Design and Implementation of the Tor Browser [DRAFT]</title><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /></head><body><div class="article" title="The Design and Implementation of the Tor Browser [DRAFT]"><div class="titlepage"><div><div><h2 class="title"><a id="design"></a>The Design and Implementation of the Tor Browser [DRAFT]</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Mike</span> <span class="surname">Perry</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:mikeperry#torproject org">mikeperry#torprojectÂorg</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Erinn</span> <span class="surname">Clark</span></h3><div class="affiliation"><div class="address"><p><code class=
"email"><<a class="email" href="mailto:erinn#torproject org">erinn#torprojectÂorg</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Steven</span> <span class="surname">Murdoch</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:sjmurdoch#torproject org">sjmurdoch#torprojectÂorg</a>></code></p></div></div></div></div><div><p class="pubdate">Oct 19 2011</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#id3042393">1. Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="#adversary">1.1. Adversary Model</a></span></dt></dl></dd><dt><span class="sect1"><a href="#DesignRequirements">2. Design Requirements and Philosophy</a></span></dt><dd><dl><dt><span class="sect2"><a href="#security">2.1. Security Requirements</a></span></dt><dt><span class="sect2"><a href="#privacy">2.2. Pr
ivacy Requirements</a></span></dt><dt><span class="sect2"><a href="#philosophy">2.3. Philosophy</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Implementation">3. Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="#proxy-obedience">3.1. Proxy Obedience</a></span></dt><dt><span class="sect2"><a href="#state-separation">3.2. State Separation</a></span></dt><dt><span class="sect2"><a href="#disk-avoidance">3.3. Disk Avoidance</a></span></dt><dt><span class="sect2"><a href="#app-data-isolation">3.4. Application Data Isolation</a></span></dt><dt><span class="sect2"><a href="#identifier-linkability">3.5. Cross-Origin Identifier Unlinkability</a></span></dt><dt><span class="sect2"><a href="#fingerprinting-linkability">3.6. Cross-Origin Fingerprinting Unlinkability</a></span></dt><dt><span class="sect2"><a href="#new-identity">3.7. Long-Term Unlinkability via "New Identity" button</a></span></dt><dt><span class="sect2"><a href="#click-to-play">3.8. Cli
ck-to-play for plugins and invasive content</a></span></dt><dt><span class="sect2"><a href="#firefox-patches">3.9. Description of Firefox Patches</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Packaging">4. Packaging</a></span></dt><dd><dl><dt><span class="sect2"><a href="#build-security">4.1. Build Process Security</a></span></dt><dt><span class="sect2"><a href="#addons">4.2. External Addons</a></span></dt><dt><span class="sect2"><a href="#prefs">4.3. Pref Changes</a></span></dt><dt><span class="sect2"><a href="#update-mechanism">4.4. Update Security</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Testing">5. Testing</a></span></dt><dd><dl><dt><span class="sect2"><a href="#SingleStateTesting">5.1. Single state testing</a></span></dt></dl></dd></dl></div><div class="sect1" title="1.ÂIntroduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3042393"></a>1.ÂIntroduction</h2></div></div></div><p>
This document describes the <a class="link" href="#adversary" title="1.1.ÂAdversary Model">adversary model</a>,
<a class="link" href="#DesignRequirements" title="2.ÂDesign Requirements and Philosophy">design requirements</a>,
@@ -224,18 +224,22 @@
respect to platform support, security requirements are the minimum properties
in order for Tor to support the use of a web client platform.
- </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Proxy Obedience</strong></span><p>The browser
-MUST NOT bypass Tor proxy settings for any content.</p></li><li class="listitem"><span class="command"><strong>State Separation</strong></span><p>The browser MUST NOT provide any stored state to the content window
+ </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="link" href="#proxy-obedience" title="3.1.ÂProxy Obedience"><span class="command"><strong>Proxy
+Obedience</strong></span></a><p>The browser
+MUST NOT bypass Tor proxy settings for any content.</p></li><li class="listitem"><a class="link" href="#state-separation" title="3.2.ÂState Separation"><span class="command"><strong>State
+Separation</strong></span></a><p>The browser MUST NOT provide any stored state to the content window
from other browsers or other browsing modes, including shared state from
plugins, machine identifiers, and TLS session state.
-</p></li><li class="listitem"><span class="command"><strong>Disk Avoidance</strong></span><p>
+</p></li><li class="listitem"><a class="link" href="#disk-avoidance" title="3.3.ÂDisk Avoidance"><span class="command"><strong>Disk
+Avoidance</strong></span></a><p>
The browser MUST NOT write any information that is derived from or that
reveals browsing activity to the disk, or store it in memory beyond the
duration of one browsing session, unless the user has explicitly opted to
store their browsing history information to disk.
-</p></li><li class="listitem"><span class="command"><strong>Application Data Isolation</strong></span><p>
+</p></li><li class="listitem"><a class="link" href="#app-data-isolation" title="3.4.ÂApplication Data Isolation"><span class="command"><strong>Application Data
+Isolation</strong></span></a><p>
The components involved in providing private browsing MUST be self-contained,
or MUST provide a mechanism for rapid, complete removal of all evidence of the
@@ -248,7 +252,7 @@
to permissions issues with access to swap, implementations MAY choose to leave
it out of scope, and/or leave it to the user to implement encrypted swap.
-</p></li><li class="listitem"><span class="command"><strong>Update Safety</strong></span><p>The browser SHOULD NOT perform unsafe updates or upgrades.</p></li></ol></div></div><div class="sect2" title="2.2.ÂPrivacy Requirements"><div class="titlepage"><div><div><h3 class="title"><a id="privacy"></a>2.2.ÂPrivacy Requirements</h3></div></div></div><p>
+</p></li></ol></div></div><div class="sect2" title="2.2.ÂPrivacy Requirements"><div class="titlepage"><div><div><h3 class="title"><a id="privacy"></a>2.2.ÂPrivacy Requirements</h3></div></div></div><p>
The privacy requirements are primarily concerned with reducing linkability:
the ability for a user's activity on one site to be linked with their activity
@@ -265,7 +269,8 @@
google.com. Implementations MAY, at their option, restrict the url bar origin
to be the entire fully qualified domain name.
- </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Cross-Origin Identifier Unlinkability</strong></span><p>
+ </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="link" href="#identifier-linkability" title="3.5.ÂCross-Origin Identifier Unlinkability"><span class="command"><strong>Cross-Origin
+Identifier Unlinkability</strong></span></a><p>
User activity on one url bar origin MUST NOT be linkable to their activity in
any other url bar origin by any third party automatically or without user
@@ -275,13 +280,15 @@
to sites, or due information submitted during manual link traversal. This
functionality SHOULD NOT interfere with federated login in a substantial way.
- </p></li><li class="listitem"><span class="command"><strong>Cross-Origin Fingerprinting Unlinkability</strong></span><p>
+ </p></li><li class="listitem"><a class="link" href="#fingerprinting-linkability" title="3.6.ÂCross-Origin Fingerprinting Unlinkability"><span class="command"><strong>Cross-Origin
+Fingerprinting Unlinkability</strong></span></a><p>
User activity on one url bar origin MUST NOT be linkable to their activity in
any other url bar origin by any third party. This property specifically applies to
linkability from fingerprinting browser behavior.
- </p></li><li class="listitem"><span class="command"><strong>Long-Term Unlinkability</strong></span><p>
+ </p></li><li class="listitem"><a class="link" href="#new-identity" title="3.7.ÂLong-Term Unlinkability via "New Identity" button"><span class="command"><strong>Long-Term
+Unlinkability</strong></span></a><p>
The browser SHOULD provide an obvious, easy way to remove all of its
authentication tokens and browser state and obtain a fresh identity.
@@ -385,6 +392,21 @@
their proper deployment or privacy realization. However, we will likely disable
certain new features (where possible) pending analysis and audit.
</p></li></ol></div></div></div><div class="sect1" title="3.ÂImplementation"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Implementation"></a>3.ÂImplementation</h2></div></div></div><p>
+
+The Implementation section is divided into subsections, each of which
+corresponds to a <a class="link" href="#DesignRequirements" title="2.ÂDesign Requirements and Philosophy">Design Requirement</a>.
+Each subsection is divided into specific web technologies or properties. The
+implementation is then described for that property.
+
+ </p><p>
+
+In some cases, the implementation meets the design requirements in a non-ideal
+way (for example, by disabling features). In rare cases, there may be no
+implementation at all. Both of these cases are denoted by differentiating
+between the <span class="command"><strong>Design Goal</strong></span> and the <span class="command"><strong>Implementation
+Status</strong></span> for each property. Corresponding bugs in the <a class="ulink" href="https://trac.torproject.org/projects/tor/report" target="_top">Tor bug tracker</a>
+are typically linked for these cases.
+
</p><div class="sect2" title="3.1.ÂProxy Obedience"><div class="titlepage"><div><div><h3 class="title"><a id="proxy-obedience"></a>3.1.ÂProxy Obedience</h3></div></div></div><p>
Proxy obedience is assured through the following:
@@ -444,13 +466,13 @@
Tor Browser State is separated from existing browser state through use of a
custom Firefox profile. Furthermore, plugins are disabled, which prevents
Flash cookies from leaking from a pre-existing Flash directory.
- </p></div><div class="sect2" title="3.3.ÂDisk Avoidance"><div class="titlepage"><div><div><h3 class="title"><a id="disk-avoidance"></a>3.3.ÂDisk Avoidance</h3></div></div></div><div class="sect3" title="Design Goal:"><div class="titlepage"><div><div><h4 class="title"><a id="id2901874"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
+ </p></div><div class="sect2" title="3.3.ÂDisk Avoidance"><div class="titlepage"><div><div><h3 class="title"><a id="disk-avoidance"></a>3.3.ÂDisk Avoidance</h3></div></div></div><div class="sect3" title="Design Goal:"><div class="titlepage"><div><div><h4 class="title"><a id="id3048300"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
Tor Browser MUST (at user option) prevent all disk records of browser activity.
The user should be able to optionally enable URL history and other history
features if they so desire. Once we <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3100" target="_top">simplify the
preferences interface</a>, we will likely just enable Private Browsing
mode by default to handle this goal.
- </blockquote></div></div><div class="sect3" title="Implementation Status:"><div class="titlepage"><div><div><h4 class="title"><a id="id2878481"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
+ </blockquote></div></div><div class="sect3" title="Implementation Status:"><div class="titlepage"><div><div><h4 class="title"><a id="id3052558"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
For now, Tor Browser blocks write access to the disk through Torbutton
using several Firefox preferences.
@@ -515,7 +537,7 @@
context-menu option to drill down into specific types of state or permissions.
An example of this simplification can be seen in Figure 1.
- </p><div class="figure"><a id="id2898980"></a><p class="title"><b>FigureÂ1.ÂImproving the Privacy UI</b></p><div class="figure-contents"><div class="mediaobject" align="center"><img src="CookieManagers.png" align="middle" alt="Improving the Privacy UI" /></div><div class="caption"><p></p>
+ </p><div class="figure"><a id="id3051496"></a><p class="title"><b>FigureÂ1.ÂImproving the Privacy UI</b></p><div class="figure-contents"><div class="mediaobject" align="center"><img src="CookieManagers.png" align="middle" alt="Improving the Privacy UI" /></div><div class="caption"><p></p>
On the left is the standard Firefox cookie manager. On the right is a mock-up
of how isolating identifiers to the URL bar origin might simplify the privacy
@@ -939,11 +961,11 @@
</p></li></ol></div></div><div class="sect2" title="3.7.ÂLong-Term Unlinkability via "New Identity" button"><div class="titlepage"><div><div><h3 class="title"><a id="new-identity"></a>3.7.ÂLong-Term Unlinkability via "New Identity" button</h3></div></div></div><p>
In order to avoid long-term linkability, we provide a "New Identity" context
menu option in Torbutton.
- </p><div class="sect3" title="Design Goal:"><div class="titlepage"><div><div><h4 class="title"><a id="id2857700"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
+ </p><div class="sect3" title="Design Goal:"><div class="titlepage"><div><div><h4 class="title"><a id="id3068567"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
All linkable identifiers and browser state MUST be cleared by this feature.
- </blockquote></div></div><div class="sect3" title="Implementation Status:"><div class="titlepage"><div><div><h4 class="title"><a id="id2877575"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
+ </blockquote></div></div><div class="sect3" title="Implementation Status:"><div class="titlepage"><div><div><h4 class="title"><a id="id3057460"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
First, Torbutton disables all open tabs and windows via nsIContentPolicy
blocking, and then closes each tab and window. The extra step for blocking
@@ -1042,7 +1064,7 @@
This patch prevents random URLs from being inserted into content-prefs.sqllite in
the profile directory as content prefs change (includes site-zoom and perhaps
other site prefs?).
- </p></li></ol></div></div></div><div class="sect1" title="4.ÂPackaging"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Packaging"></a>4.ÂPackaging</h2></div></div></div><p> </p><div class="sect2" title="4.1.ÂBuild Process Security"><div class="titlepage"><div><div><h3 class="title"><a id="build-security"></a>4.1.ÂBuild Process Security</h3></div></div></div><p> </p></div><div class="sect2" title="4.2.ÂExternal Addons"><div class="titlepage"><div><div><h3 class="title"><a id="addons"></a>4.2.ÂExternal Addons</h3></div></div></div><p> </p><div class="sect3" title="Included Addons"><div class="titlepage"><div><div><h4 class="title"><a id="id2889516"></a>Included Addons</h4></div></div></div></div><div class="sect3" title="Excluded Addons"><div class="titlepage"><div><div><h4 class="title"><a id="id2875722"></a>Excluded Addons</h4></div></div></div></div><div class="sect3" title="Dangerous Addons"><div class="titlepage"><div><div><h4 cla
ss="title"><a id="id2861148"></a>Dangerous Addons</h4></div></div></div></div></div><div class="sect2" title="4.3.ÂPref Changes"><div class="titlepage"><div><div><h3 class="title"><a id="prefs"></a>4.3.ÂPref Changes</h3></div></div></div><p> </p></div><div class="sect2" title="4.4.ÂUpdate Security"><div class="titlepage"><div><div><h3 class="title"><a id="update-mechanism"></a>4.4.ÂUpdate Security</h3></div></div></div><p> </p></div></div><div class="sect1" title="5.ÂTesting"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Testing"></a>5.ÂTesting</h2></div></div></div><p>
+ </p></li></ol></div></div></div><div class="sect1" title="4.ÂPackaging"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Packaging"></a>4.ÂPackaging</h2></div></div></div><p> </p><div class="sect2" title="4.1.ÂBuild Process Security"><div class="titlepage"><div><div><h3 class="title"><a id="build-security"></a>4.1.ÂBuild Process Security</h3></div></div></div><p> </p></div><div class="sect2" title="4.2.ÂExternal Addons"><div class="titlepage"><div><div><h3 class="title"><a id="addons"></a>4.2.ÂExternal Addons</h3></div></div></div><p> </p><div class="sect3" title="Included Addons"><div class="titlepage"><div><div><h4 class="title"><a id="id3033960"></a>Included Addons</h4></div></div></div></div><div class="sect3" title="Excluded Addons"><div class="titlepage"><div><div><h4 class="title"><a id="id3033967"></a>Excluded Addons</h4></div></div></div></div><div class="sect3" title="Dangerous Addons"><div class="titlepage"><div><div><h4 cla
ss="title"><a id="id3033984"></a>Dangerous Addons</h4></div></div></div></div></div><div class="sect2" title="4.3.ÂPref Changes"><div class="titlepage"><div><div><h3 class="title"><a id="prefs"></a>4.3.ÂPref Changes</h3></div></div></div><p> </p></div><div class="sect2" title="4.4.ÂUpdate Security"><div class="titlepage"><div><div><h3 class="title"><a id="update-mechanism"></a>4.4.ÂUpdate Security</h3></div></div></div><p> </p></div></div><div class="sect1" title="5.ÂTesting"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Testing"></a>5.ÂTesting</h2></div></div></div><p>
The purpose of this section is to cover all the known ways that Tor browser
security can be subverted from a penetration testing perspective. The hope
_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits