Ticket #15988: 0001-Edit-pass-of-GK-s-design-doc-update.-Note-the-XXX.patch

File 0001-Edit-pass-of-GK-s-design-doc-update.-Note-the-XXX.patch, 6.3 KB (added by mikeperry, 3 years ago)

Patch with some edits to GK's branch, and an XXX question about describing the threat model issue with speculative connections.

  • design-doc/design.xml

    From dfe2cd82c65baef78ed37e21bb888b09aa3c246b Mon Sep 17 00:00:00 2001
    From: Mike Perry <mikeperry-git@torproject.org>
    Date: Fri, 3 Mar 2017 20:50:52 -0500
    Subject: [PATCH] Edit pass of GK's design doc update. Note the XXX!
    
    ---
     design-doc/design.xml | 32 ++++++++++++++++++++++----------
     1 file changed, 22 insertions(+), 10 deletions(-)
    
    diff --git a/design-doc/design.xml b/design-doc/design.xml
    index 55693a2..fafe27e 100644
    a b but it seemed better safe than sorry. 
    959959 </para>
    960960
    961961 <para>
    962 For further defense-in-depth we disabled WebIDE which can bypass proxy settings
    963 for remote debugging and is downloading extensions we don't have reviewed. We
     962
     963For further defense-in-depth we disabled WebIDE because it can bypass proxy
     964settings for remote debugging, and also because it downloads extensions we
     965have not reviewed. We
    964966are doing this by setting
    965967<command>devtools.webide.autoinstallADBHelper</command>,
    966968<command>devtools.webide.autoinstallFxdtAdapters</command>,
    traffic. 
    982984 </para>
    983985
    984986 <para>
     987
    985988Finally, we <ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.7.0esr-6.5-1&amp;id=67236693a6b742e2383f681c719030109a752e3e">
    986 disabled mDNS support</ulink> as mDNS is using UDP packets and made sure
    987 Mozilla's TCPSocket is not usable by explicitely setting
     989disabled mDNS support</ulink>, since mDNS uses UDP packets. We also disable
     990Mozilla's TCPSocket by setting
    988991<command>dom.mozTCPSocket.enabled</command> to <command>false</command>. We
    989992<ulink url="https://trac.torproject.org/projects/tor/ticket/18866">intend to
    990993rip out</ulink> the TCPSocket code in the future to have an even more solid
    991994guarantee that it won't be used by accident.
     995
    992996 </para>
    993997
    994998 <para>
    features if they so desire. 
    11421146     <ulink url="https://bugzilla.mozilla.org/show_bug.cgi?id=1047105">asm.js
    11431147     cache entries get written to disk</ulink> in private browsing mode. This
    11441148     is done by setting <command>javascript.options.asmjs</command> to
    1145      <command>false</command> (for linkability concerns see below).
     1149     <command>false</command> (for linkability concerns with asm.js see below).
    11461150    </blockquote>
    11471151    <blockquote>
    11481152
    others things, like type of CPU, build ID, source characters of the asm.js 
    13001304module etc.) keyed <ulink url="https://blog.mozilla.org/luke/2014/01/14/asm-js-aot-compilation-and-startup-performance/">to the origin of the script</ulink>.
    13011305Lacking a good solution for binding it to the URL bar domain instead (and given
    13021306the storage of asm.js modules in Private Browsing Mode) we decided to disable
    1303 asm.js for the time by setting <command>javascript.options.asmjs</command> to
     1307asm.js for the time being by setting <command>javascript.options.asmjs</command> to
    13041308<command>false</command>. It remains to be seen whether keying the cache entry
    13051309to the source characters of the asm.js module helps to avoid using it for
    13061310cross-origin tracking of users. We did not investigate that yet.
    We provide the isolation in Tor Browser via a <ulink 
    15721576url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.7.0esr-6.5-1&amp;id=35bc7b931998a2b3a45afebc3d0bd5a96e6e666a">direct
    15731577patch to Firefox</ulink>. If we lack a window for determining the URL bar
    15741578domain (e.g. in some worker contexts) the use of broadcast channels is disabled.
     1579
    15751580      </para>
    15761581     </listitem>
    15771582     <listitem><command>OCSP</command>
    functionality is provided by a 
    16021607    <listitem><command>mediasource: URIs and MediaStreams</command>
    16031608      <para>
    16041609
    1605 mediasource: URIs and MediaStreams MUST be isolated to the URL bar domain.
     1610Much like blob URLs, mediasource: URIs and MediaStreams can be used to tag
     1611users. Therefore, mediasource: URIs and MediaStreams MUST be isolated to the URL bar domain.
    16061612This functionality is part of a
    16071613<ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.7.0esr-6.5-1&amp;id=5dd51049d2a3d487a6bfaf4972f2876aeb2dff5d">Firefox patch</ulink>
    16081614
    URL bar domain isolation in a patch to Firefox as a means for defense-in-depth. 
    16271633      </para>
    16281634      <para><command>Design Goal:</command>
    16291635
     1636XXX: describe linkability risk. I'm a little fuzzy on this one.. From a design
     1637requirements perspective, they seem not that much worse than images, objects,
     1638stylesheets, etc. Is it just that this can cause link visits without user
     1639consent? That could be a good enough reason, but it's not an explicit design
     1640requirement, I think. Interesting edgecase..
     1641
    16301642Speculative connections MUST be isolated to the URL bar domain.
    16311643
    16321644      </para>
    out that it is possible to subvert our clamping of explicit clocks by using 
    24672479<ulink url="https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_kohlbrenner.pdf">
    24682480implicit ones</ulink>, e.g. extrapolating the true time by running a busy loop
    24692481with a predictable operation in it. We are tracking
    2470 <ulink url="https://trac.torproject.org/projects/tor/ticket/16110"> this problem
     2482 <ulink url="https://trac.torproject.org/projects/tor/ticket/16110">this problem
    24712483</ulink> in our bug tracker and are working with the research community and
    24722484Mozilla to develop and test a proper solution to this part of our defense
    24732485against timing-based side channel fingerprinting risks.
    in Firefox</ulink> it is possible to detect the locale and the platform of a 
    24832495Tor Browser user. Moreover, it is possible to find out the extensions a user has
    24842496installed. This is done by including resource:// and/or chrome:// URIs into
    24852497web content which point to resources included in Tor Browser itself or in
    2486 extensions installed.
     2498installed extensions.
    24872499      </para>
    24882500      <para>
    24892501We believe that it should be impossible for web content to extract information
    url="https://blog.torproject.org/blog/experimental-defense-website-traffic-finge 
    29322944use of HTTP pipelining and/or SPDY</ulink>.
    29332945In the tunable/low-overhead
    29342946category, we have <ulink
    2935 url="http://freehaven.net/anonbib/cache/ShWa-Timing06.pdf">Adaptive
     2947url="https://arxiv.org/abs/1512.00524">Adaptive
    29362948Padding</ulink> and <ulink url="http://www.cs.sunysb.edu/~xcai/fp.pdf">
    29372949Congestion-Sensitive BUFLO</ulink>. It may be also possible to <ulink
    29382950url="https://trac.torproject.org/projects/tor/ticket/7028">tune such