Opened 15 months ago

Last modified 14 months ago

#26341 needs_information enhancement

Enable setting torbutton.use_nontor_proxy with an environment variable

Reported by: eyedeekay Owned by: tbb-team
Priority: Low Milestone:
Component: Applications/Tor Browser Version:
Severity: Trivial Keywords: tbb-torbutton
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I've been working with some Whonix people to try and get a working i2p browser into Whonix, and for obvious reasons, Tor Browser was the only acceptable basis. My goal was to accomplish this without changing Tor Browser at all, but unfortunately that was not to be. In order to use i2p, I need to be able to tell Torbutton to set use_nontor_proxy=true. I have a fork on github where I successfully did this already https://github.com/eyedeekay/torbutton/commit/3879775737a640a78e4cbe99605ac22d7b201a0a which I am using to test it.

Child Tickets

Change History (3)

comment:1 Changed 15 months ago by gk

Component: Applications/TorbuttonApplications/Tor Browser
Keywords: tbb-torbutton added
Owner: set to tbb-team
Status: newneeds_information

Why exactly do you need to set that preference to true? Because there is no domain isolation possible with I2P used instead? FWIW: I don't think just switching that pref alone is a food idea. See torbutton_use_nontor_proxy() in torbutton.js for why. If you ship an own I2P browser I assume you ship an own profile with it. Why can't you just flip the default preferences in it accordingly? What do you plan to do with all the Tor-related branding, because it is not Tor Browser you'll ship anymore even if it says so.

comment:2 Changed 14 months ago by eyedeekay

Thanks for getting back to me. I didn't mean to imply that I would leave Tor Project strings and images in place, I understand how that misunderstanding arose and want to make sure that you know before anything I do reaches any upstream projects or distributions, I promise to remove misleading branding. Anything on my personal github should be considered a prototype or working copy. What I meant was that I would prefer to not introduce any new code if I could reasonably help it. On that subject, I had thought that the existing environment variables would be adequate to accomplish the removal of Tor Project markings, however, upon closer examination, this isn't the case. I'm going to put in some time this weekend to figure out exactly what I would need to do to accomplish this more thoroughly. Besides that, in Whonix, the Tor Browser is downloaded and started by two scripts, in the packages tb-updater and tb-starter. These are configured using environment variables that affect the settings in the Tor Browser Bundle at runtime. That way they can guarantee that the settings are not accidentally overwritten by an update, As they are stored outside the TBB itself and set at runtime, and they don't have to ship a different prefs.js. I had actually taken the prefs.js approach in a previous attempt to produce an i2p browser.

As for domain isolation, i2p doesn't really provide a way to do it the way TBB does it. I think I remember reading somewhere, long ago, that the argument is that it isn't the core i2p router's job to do that, it should be done by an application that talks to the i2p API's(I am working on such an application). What it does instead is rotates the destination used for the http proxy, refreshing the destination when the router is restarted or after a configurable amount of idle time. It's obviously very simple to link people's browsing behavior across multiple eepSites if you own multiple eepSites, and it's also very easy to spin up multiple eepSites from anywhere. I can't speak for anyone else but the way I think about it is that, at least on i2p, I am the same person in every single browser tab. I'd personally like things to be more automatic, but I don't think this is an unreasonable mental model, as long I keep my promise to remove all TPO related labeling and provide adequate documentation. But in order to follow a path where the default i2p http proxy is used, I know this is the reason use_nontor_proxy must be set.

So I shall reconsider my approach and get back to you.

comment:3 Changed 14 months ago by eyedeekay

OK, so I have taken steps to make sure that I do not misleadingly represent this browser configuration based on the Tor Browser as a real Tor Browser. Foremost, I've replaced the welcome page completely to indicate that it's an i2p browser, with a clear warning "i2p does not do domain isolation" with a brief explanation that you will have the same identity for all your activity in this browser(page is here: https://github.com/eyedeekay/i2p-browser-for-cheaters/blob/master/i2p-diffs.html). It may change, but that message will still be conveyed. This will be presented 100% of the time when a user starts our i2p browser. Besides that, we pass a different wm_class to firefox. I even created a re-branding plugin(https://github.com/eyedeekay/ui2pbrowser_branding) (just a fork of iceweasel's) that I'd love to be able to use, and am investigating paths to using, however there are complications on the path to doing this which will take time to overcome. It is something I will continue to work on. I hope that this helps to make my patch more acceptable.

As for isolation, for now the approach is warn visibly about the shared identity across browser tabs and visibly delineate the differences between this and the standard TBB. My motivation for choosing the Tor Browser is hardening against metadata leakage and and lowered ability to deduce system characteristics using browser features. Even without domain isolation, TBB still seems to be the best choice.

Note: See TracTickets for help on using tickets.