Consider encrypted bookmarks addon for storing onions on the browser

Onion addresses are hard to remember and with prop224 they are even harder, yada yada.

One technique that people are using to remember their onions are local browser bookmarks. That's a pretty secure way to do it actually, with the biggest drawback being that the bookmarks are stored long-term on your computer which is a problem if your computer gets compromised.

One way to improve the situation would be to be able to encrypt your bookmarks (a bit like a password manager) so that attackers without your password are not able to retrieve your list of onions.

Some extra features that would be cool to have:

• Some sort of deniability where attackers are not able to see if you have any stored bookmarks if they don't know your password.
• Extra storage for client authorization credential for those onions.
• Even better this wouldn't be a separate addon, but just an enhancement over the current bookmark system of firefox, so that people don't need two understand two UXs.

I'm not sure if there is already an addon that does what we want to do here, but perhaps we could find something.

added component::applications/tor browser new-addon owner::tbb-team points::6 priority::medium severity::normal status::new type::enhancement labels

Trac:
Description: Onion addresses are hard to remember and with prop224 they are even harder, yada yada.

One technique that people are using to remember their onions are local browser bookmarks. That's a pretty secure way to do it actually, with the biggest drawback being that the bookmarks are stored long-term on your computer which is a problem if your computer gets compromised.

One way to improve the situation would be to be able to encrypt your bookmarks (a bit like a password manager) so that attackers without your password are not able to retrieve your list of onions.

Some extra features that would be cool to have:

• Some sort of deniability where attackers are not able to see if you have any stored bookmarks if they don't know your password.
• Extra storage for client authorization credential for those onions.

I'm not sure if there is already an addon that does what we want to do here, but perhaps we could find something.

to

Onion addresses are hard to remember and with prop224 they are even harder, yada yada.

One technique that people are using to remember their onions are local browser bookmarks. That's a pretty secure way to do it actually, with the biggest drawback being that the bookmarks are stored long-term on your computer which is a problem if your computer gets compromised.

One way to improve the situation would be to be able to encrypt your bookmarks (a bit like a password manager) so that attackers without your password are not able to retrieve your list of onions.

Some extra features that would be cool to have:

• Some sort of deniability where attackers are not able to see if you have any stored bookmarks if they don't know your password.
• Extra storage for client authorization credential for those onions.
• Even better this wouldn't be a separate addon, but just an enhancement over the current bookmark system of firefox, so that people don't need two understand two UXs.

I'm not sure if there is already an addon that does what we want to do here, but perhaps we could find something.

It looks like AMO includes some add-ons that try to do something similar, e.g., https://addons.mozilla.org/en-US/firefox/addon/webext-private-bookmarks/

Trac:
Cc: N/A to mcs

Does Firefox's Master Password feature encrypt bookmarks?

Also, could you talk more about client authorization credentials for .onions? How are those provided today (For some reason I thought you had to edit torrc) via Tor Browser?

Trac:
Cc: mcs to mcs, tom

Trac:
Cc: mcs, tom to mcs, tom, phw

Replying to tom:

Does Firefox's Master Password feature encrypt bookmarks?

Did some digging online and this doesn't seem to be the case. Seems to protect usernames and passwords only.

Also, could you talk more about client authorization credentials for .onions? How are those provided today (For some reason I thought you had to edit torrc) via Tor Browser?

Yep, you need to edit the torrc, there is no way to do it through Tor Browser yet. Tickets #14389 (moved) and #19757 (moved) are related to this.

In theory we could have the "Tor bookmark" system keep client auth creds for various onions and use them when those onions are visited.

HSv2 client auth creds look like this:

HidServAuth tkwk5o5n4eud3vwd.onion rJcrR/ZbCMDdJqTImOBvxB basic1

HSv3 client auth hasn't been implemented yet but it might look like this.

Side-note, a person from tor-dev said that they worked on a project like this. Perhaps code or ideas or icons might be reusable.

Trac:
Cc: mcs, tom, phw to antonela, mcs, tom, phw

Trac:
Keywords: N/A deleted, tor-hs added
Cc: antonela, mcs, tom, phw to antonela, mcs, tom, phw, dmr

Trac:
Keywords: N/A deleted, arthuredelstein added

Trac:
Parent: N/A to #25955 (moved)

This is Tor Browser specific. In rare cases we should link them to Core Tor/Tor component but the TBB team should decided that.

Unparenting. Nothing to do with v2 deprecation.

Trac:
Parent: #25955 (moved) to N/A

Trac:
Cc: antonela, mcs, tom, phw, dmr to antonela, mcs, tom, phw, dmr, arthuredelstein
Keywords: arthuredelstein deleted, N/A added

Trac:
Cc: antonela, mcs, tom, phw, dmr, arthuredelstein to antonela, mcs, tom, phw, dmr, arthuredelstein, intrigeri

Replying to asn:

One technique that people are using to remember their onions are local browser bookmarks. That's a pretty secure way to do it actually, with the biggest drawback being that the bookmarks are stored long-term on your computer which is a problem if your computer gets compromised.

On https://trac.torproject.org/projects/tor/wiki/org/meetings/2018MexicoCity/Notes/TBBMeetingDays I've seen "Secure Bookmarks" mentioned. I'm not sure if this the right place to discuss this, feel free to redirect me if it's not :) Here's a dump of my thoughts on this topic.

First, in Tails bookmarks are the most popular persistence feature among those we offer (bookmarks, network connections, additional software, printers, Thunderbird, GnuPG, Bitcoin client, Pidgin, SSH). This was computed from the bug reports we receive so it's a small data set (~100 reports/month), but at least that's data.

Second, without bookmarks support at all (be them "secure" or the default Firefox feature, which we disable because of the disk avoidance design goal), here's what users are likely to do:

• save the URLs they need in an unencrypted text file: not more secure than using the default bookmarks mechanism provided by Firefox (except perhaps Firefox stores the last time when a bookmark was visited? in which case it would count as browsing history, which is another matter)
• use a search engine, a wiki, or something like to discover the hard-to-remember URL every time they need it, i.e. trust a third-party web service to point them to the correct URL; this approach does resist better to computer compromise but it also puts user's credentials at risk every time they access the hard-to-remember URL. Depending on the threat model, either can be safer.

I have no data to show how aware users are of the risks of either approach and I won't try to guess.

So to me it's not obvious that we're doing our users a service by disabling bookmarks and I would even argue that enabling the default Firefox bookmarks feature would not be worse than the current state of things. Now, if we get something even better, i.e. "Secure Bookmarks", that'll be awesome!

Thanks for the feedback intri. Here is also a research paper showing that about 52% of Tor users from a survey were also using the bookmark system, whereas 9% of people did not use bookmarks because they leaved a trace: https://arxiv.org/pdf/1806.11278.pdf

Trac:
Username: reportUrl
Keywords: network-need, prop224, tor-hs, tbb deleted, new-addon added

changed time estimate to 48h

mentioned in issue #25955 (moved)

mentioned in issue tpo/core/tor#25955 (closed)

moved to tpo/applications/tor-browser#24310 (closed)