Privacy/Roadmap/Tor/Planning

The Tor browser bundle has a design document that does a very good job of enumerating the security/privacy goals for their anonymous browser [1]. Mozilla (I think) seem to align with many of the issues presented here (however I believe regular firefox users would prefer a 'working internet' than a 'slightly different behaviour browser' but with more privacy. I have assumed that the initial set of changes would only be enabled when using 'private' browsing mode, so that the disk avoidance issues are covered there. In this Roadmap we focus on identification and state separation issues.

It seems there are three buckets for Tor/Privacy Related bugs:

1. Browser Entropy (Identification)
   1. Reduce/Limit the number of fonts available to render
      • Related Bugs Tor 2872 , Bugzilla 732096
   2. Reduce the entropy on available window size
      • Related Bugs Tor 2875 , Bugzilla 418986
   3. Block access to Components.Interfaces and Components.lookup from non XUL javascript)
      • Related Bugs Tor 2874 , Tor 2873 , Bugzilla 429070, Bugzilla 724299
   4. Do not cache Basic authentication schemes unless explicitly entered by the user (or make the auth-headers available to on-modify request.
      • Related Bugs: Tor 3907.
        • Need to think on security implications of the Tor patch
2. Make the interaction with external helper applications and plugins explicit (click to play)
   1. Click to run plugins (bug 711618)
   2. Change the behavior on private browsing to 'ask first' for all external apps.
   3. Click to enable WebGL (Related to entropy of the browser itself)
3. Prevent Cross-domain identification
   1. Dual Keyed Cookies
      • Related Bugs Tor 3246 , Bugzilla 565965 .
   2. Per domain cache (including web fonts)
   3. per domain storage (including dom)
   4. black out window.name on blank referal

On leaving and entering private browsing:

• Clear SSL sessions.
• Close keepalive TCP sessions
• Clear HSTS site preferences

Will NOT do:

• Randomize HTTP pipelining (Tor 3914 )
  • Currently is unknown if this defense would work.
• Disable all plugins except flash (Tor 3547 )
  • We cannot determine a-priori what is good/bad from the users perspective.
• Some way to deal with performance based attacks (Tor 3059 )
  • This is really hard, no clear solutions even on the research side.

Dont know how to classify (here for completeness)

• SafeCache key is ony 32 bits (Tor 3666 )
• Make content pref service memory-only + clear-able (Tor 3229)
• Prevent TLS state from accumulating in The browser ( [2])

Already Solved?

• Fix SOCKS Timeout (Tor 3247 , Bugzilla 280661)