Opened 7 years ago

Closed 5 years ago

#3461 closed enhancement (fixed)

minor tweaks for TBB to reduce data transfer and data leaking

Reported by: phobos Owned by: mikeperry
Priority: Medium Milestone:
Component: Firefox Patch Issues Version:
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I've noticed the default TBB is quite permissive in its settings. I am concerned that after a few hours of browsing in TBB, a large number of sites can track my current persona and know where I've been on the web, and what I've been doing. If I screw up once and login to a website with my real identity, I've just tied anonymous me to real me. I've been looking into the data stored in cache after some simple operations and how it is effected by changing the torbutton and noscript settings. I wish I could export torbutton settings in some simple manner.

I did a simple test this morning.

  1. I start up TBB 1.1.11 on linux.
  2. I click on the 'the tor blog' bookmark and let the page load.
  3. I then click on 'learn more about tor' bookmark and let the page load.
  4. On the tor website, I click on Press.
  5. Once the page loads, I click on volunteer.
  6. After the page loads, I decide to see what the weather is like at the tor office. I enter 'wunderground.com' in the awesome bar and let it load.
  7. I enter '02081' in the location and let it load.
  8. I click on the radar map and let it load.

Attached are 3 pdfs and 1 text file. Each pdf is named according to what it represents.

  1. The file 'default-TBB-settings-cache-data-leaking.pdf' represents the results from 'about:cache' after the eight steps above.
  2. I tweak some of the torbutton settings, specifically:
  3. Under 'security settings, dynamic content' I check 'Disable updates during Tor usage'.
  4. Under 'history', I check all boxes.
  5. Under 'forms', I check al boxes.
  6. Under 'cache', I check 'clear cookies on tor toggle'
  7. Under 'startup', I check 'On normal startup, set Tor state to tor', 'On session restored startup, set tor state to tor', and uncheck the two saving tabs options.
  8. Under 'shutdown', I check 'clear cookies during any browser shutdown'.

The file named 'minor-tweaks-TBB-data-leaks.pdf' represents the cache after these changes and following the initial 7 steps.

  1. I configure noscript to be slightly more strict in what it allows for javascript and other options. The file 'medium-tweaks-TBB-noscript-settings.txt' are these changes. The file 'medium-tweaks-TBB-data-leaks.pdf' represents the cache after these changes and following the 7 steps.

The result appears to be for the same seven steps, with a tbb restart between each run a dramatic reduction in cached objects.

Default TBB: 442 objects for 2.5MB in cache. Lots of ad networks loaded in cache too.

Minor TBB: 340 objects for 1.5MB in cache. Lots of ad networks loaded in cache too.

Medium TBB: 205 objects for 912KB in cache. 1 Facebook plugin, far few ad networks loaded in cache.

Child Tickets

Attachments (4)

default-TBB-settings-cache-data-leaking.pdf (124.9 KB) - added by phobos 7 years ago.
minor-tweaks-TBB-data-leaking.pdf (113.5 KB) - added by phobos 7 years ago.
medium-tweaks-TBB-data-leaks.pdf (72.9 KB) - added by phobos 7 years ago.
medium-tweaks-TBB-noscript-settings.txt (13.2 KB) - added by phobos 7 years ago.

Download all attachments as: .zip

Change History (13)

Changed 7 years ago by phobos

Changed 7 years ago by phobos

Changed 7 years ago by phobos

Changed 7 years ago by phobos

comment:1 Changed 7 years ago by phobos

I should add that a completely random test of the 3 people sitting next to me found none of functionality of the website reduced in the final, 'medium tweak' configuration.

I'm going to poll for a larger set of sites to further test functionality and cache loading between default TBB config and my 'medium tweak' configuration.

comment:2 Changed 7 years ago by mikeperry

One of Dan Boneh's students just upgraded SafeCache to Firefox 4. He also implemented a headers-only version of the double-key cookie policy: http://crypto.stanford.edu/cs294s/projects/browser.html

I am reviewing this to see if it is something we can just merge into 1.4.0 and disable the cookie bits until we can give them a better UI.

I think that the SafeCache isolation approach is better to just disabling the cache, though I'm also not clear exactly why any of the options you changed should be reducing total cached object size (unless you disabled iframe/frame loading in NoScript).

comment:3 Changed 7 years ago by mikeperry

#3508 for the merge of Edward's patch.

comment:4 Changed 6 years ago by phobos

I installed collusion into my tbb with my suggested data settings. Here's the resulting network links after a day of browsing in a single tbb session, https://gitorious.org/misc-tor-files/misc-tor-files/blobs/master/2012-01-29-a-day-with-tbb-and-collusion.png

I don't know how to get the raw data out of collusion in a tabular, paired format.

I will compare to stock tbb soon.

comment:5 Changed 6 years ago by mikeperry

How does this collusion tool work? What do the arcs between sites mean? How are they formed? TBB should be blocking all forms of association, other than direct link navigation. If collusion is making assumptions about the behavior of the browser underneath it, many of these arcs may be invalid due to Torbutton and the patches in Tor Browser.

Also, do your settings map onto this selection of choices planned for the future: https://trac.torproject.org/projects/tor/ticket/3100

If not, how do we represent, for example, your noscript settings as a choice? Should they be the default?

comment:6 Changed 6 years ago by phobos

The site is here, http://collusion.toolness.org/

I mostly installed it to stalk myself for the day. The big red button in the middle is doubleclick.net, it saw my tbb profile across six sites. Another one of the grey button is youtube.com, which saw me across three sites.

comment:7 Changed 6 years ago by mikeperry

Rather sparse on the description on their website, but if that red dot is doubleclick, then it is unlikely this graph is accurate unless you were clicking on ads. TBB definitely defangs all of the ways 3rd parties can track you between sites without interaction, unless you've undone protections somehow..

comment:8 Changed 6 years ago by phobos

I poked at the collusion plugin some more. It seems it's saving every domain name hit by the browser on a page. Over time, it sees doubleclick.net, adtmt.com, etc showing up on multiple pages. I'm not sure if the fact that my browser queried and loaded something from the domain counts as an actual risk.

comment:9 Changed 5 years ago by mikeperry

Resolution: fixed
Status: newclosed

Please refile as specific violations of TBB's privacy requirements (if any remain. I don't see any): https://www.torproject.org/projects/torbrowser/design/#privacy

Note: See TracTickets for help on using tickets.