Opened 12 years ago

Closed 8 years ago

Last modified 8 years ago

#523 closed enhancement (fixed)

New Identity Button

Reported by: mikeperry Owned by: mikeperry
Priority: High Milestone: TorBrowserBundle 2.2.x-stable
Component: TorBrowserButton Version: 1.1
Severity: Keywords: MikePerryIteration20110814
Cc: mikeperry, squires, arma, Hopkey, lunar@… Actual Points: 8
Parent ID: Points: 8
Reviewer: Sponsor:

Description (last modified by mikeperry)

One of these days it might be nice to add a "New Identity" button to Torbutton to instruct vidalia or
the control port itself to choose a new path, in addition to clearing Tor cache+cookies. This
may or may not depend on a "Tor Status" check to verify that the tor process is in fact running.
Unfortunately, there are lots of usability issues with control port auth, multiple confusing controls
and statues, exactly which cookies get cleared, etc that need to be considered.

[Automatically added by flyspray2trac: Operating System: All]

Child Tickets

Change History (30)

comment:1 Changed 12 years ago by squires

"new identity" should probably be broken into two separate concerns:

a) "new circuit" - Send a NEWNYM signal to Tor. Useful for bailing out of a set of

unresponsive circuits

b) "new identity" - all the browser cleanup to separate your activities on the old

set of circuits from your activities on the new set of circuits

(a) is easy. (b) is could get complicated.

comment:2 Changed 10 years ago by xtoaster

a)what if vidalia has already authenticated to tor. I think doing it through vidalia might be a easier solution :). and listen on a local port for vidalia to connect back and report tor status.

b) IMHO just restarting the browser ("destroy old identity") would be ok - once and for all. haha.

comment:3 Changed 9 years ago by mikeperry

We probably also want to support Multiple Identities at some point. That would be an outgrowth of this and the
fine-grained cookie control code.

comment:4 Changed 9 years ago by mikeperry

It might also be a good idea to put the New Identity button on a timer a-la BetterPrivacy, to address the accumulation
of browsing state for long-lived tor-sessions.

See also bug #940 and #637:
https://bugs.torproject.org/flyspray/index.php?do=details&id=940
https://bugs.torproject.org/flyspray/index.php?do=details&id=637

comment:5 Changed 9 years ago by mikeperry

Description: modified (diff)

Bug #1579 is a dup of this bug. Providing "New Identity" on a timer would give people a way to be safer from cookie and cache identifiers if they use Tor continuously, but would still like to have cookies and cache enabled. This would especially be handy if we could protect certain cookies from deletion from the timer, a-la #637.

comment:6 Changed 9 years ago by mikeperry

Summary: New Identity ButtonNew Identity Button and Timer

comment:7 Changed 9 years ago by mikeperry

Explicitly providing the option to close old tabs when this timer goes off is a good idea too, as lots of state can be hidden in a live open page, independent of cookies and cache.

comment:8 Changed 9 years ago by mikeperry

Owner: set to koryk
Status: newassigned

comment:9 Changed 9 years ago by mikeperry

Worth reviewing: http://nevercookie.anonymizer.com/

Claims to defeat evercookies. We also defeat evercookies based on both my understanding of how they work and a manual test, but this addon is probably worth a quick look just to see if they do anything extra.

comment:10 Changed 8 years ago by mikeperry

For Tor Browser Bundle, doing a New Identity Button is actually much easier, because Vidalia now launches both Tor and Firefox. It passes a control port password to Tor via the command line. It can pass this same password to Torbutton via an environment variable. This way, Torbutton can connect to Tor's control port to send the SIGNAL NEWNYM itself.

comment:11 in reply to:  10 ; Changed 8 years ago by arma

Replying to mikeperry:

For Tor Browser Bundle, doing a New Identity Button is actually much easier, because Vidalia now launches both Tor and Firefox. It passes a control port password to Tor via the command line. It can pass this same password to Torbutton via an environment variable. This way, Torbutton can connect to Tor's control port to send the SIGNAL NEWNYM itself.

What level of Firefox (or extension) vulnerability would be sufficient to break into and reconfigure your Tor, in this case?

comment:12 in reply to:  11 Changed 8 years ago by mikeperry

Replying to arma:

Replying to mikeperry:

For Tor Browser Bundle, doing a New Identity Button is actually much easier, because Vidalia now launches both Tor and Firefox. It passes a control port password to Tor via the command line. It can pass this same password to Torbutton via an environment variable. This way, Torbutton can connect to Tor's control port to send the SIGNAL NEWNYM itself.

What level of Firefox (or extension) vulnerability would be sufficient to break into and reconfigure your Tor, in this case?

A vulnerability that enables the full reconfiguration of Tor from Firefox using this password would also allow arbitrary code execution as the Firefox user.

comment:13 Changed 8 years ago by mikeperry

One of the reasons why this ticket is languishing for so long is that it is hard to envision the user story for a browser that auto-clears state without telling them. They are going to wonder why their logins keep breaking..

Is a periodic popup too much for this? How do we prevent it from getting annoying, without having them forget that the browser is doing this for them?

comment:14 in reply to:  10 ; Changed 8 years ago by rransom

Replying to mikeperry:

For Tor Browser Bundle, doing a New Identity Button is actually much easier, because Vidalia now launches both Tor and Firefox. It passes a control port password to Tor via the command line. It can pass this same password to Torbutton via an environment variable.

The firefox-remote IPC mechanism would most likely be a safer way to send the password to Firefox.

comment:15 in reply to:  14 Changed 8 years ago by rransom

Replying to rransom:

The firefox-remote IPC mechanism would most likely be a safer way to send the password to Firefox.

That is, if we didn't completely disable that IPC mechanism in TBB-Firefox.

comment:16 Changed 8 years ago by rransom

2011-03-04 20:50 <mikeperry> I think this firefox-ipc idea is out
2011-03-04 20:50 <mikeperry> this is all the interface to remoting that we get:
2011-03-04 20:50 <mikeperry> http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/interfaces/nsINativeAppSupport

comment:17 Changed 8 years ago by mikeperry

Parent ID: #2880

comment:18 Changed 8 years ago by mikeperry

I think we should go for the env variable option, much like in #2843.

comment:19 Changed 8 years ago by Hopkey

I'd really love to have something like this implemented in the Torbutton add-on.

In fact I was trying to get it done quickly (and hackishly) myself before I found this post.

What's the status of this particular feature?

comment:20 Changed 8 years ago by mikeperry

Component: TorbuttonTorBrowserButton

Hopkey: No one is actively working on it, but a quick hackish way to get it done is to invoke the functions invovled in the toggle codepath without actually toggling proxy settings: https://www.torproject.org/torbutton/en/design/#id2696524

I would accept such a patch if you were interested in working on it.

comment:21 Changed 8 years ago by mikeperry

Cc: Hopkey added

Hopkey: There may be some details with respect to either closing all open tabs, and/or giving them a separate and distinct tab tag, though. Search the design doc for "State Isolation" and "Network Isolation" to see how that comes into play..

comment:22 Changed 8 years ago by mikeperry

HopKey: Are you still here? I think you may have missed a comment before I added you to Cc..

comment:23 Changed 8 years ago by lunar

Cc: lunar@… added

This might be a lot easier to implement if proposal 171 gets implemented. Getting a new identity would be a matter of generating a new random SOCKS username.

comment:24 in reply to:  23 Changed 8 years ago by mikeperry

Replying to lunar:

This might be a lot easier to implement if proposal 171 gets implemented. Getting a new identity would be a matter of generating a new random SOCKS username.

Lunar: This ticket includes the Torbutton work of clearing all accumulated browser state.

comment:25 Changed 8 years ago by mikeperry

Milestone: 1.4TorBrowserBundle 2.2.x-stable
Parent ID: #2880

comment:26 Changed 8 years ago by mikeperry

Owner: changed from koryk to mikeperry
Points: 6
Summary: New Identity Button and TimerNew Identity Button

comment:27 Changed 8 years ago by mikeperry

Points: 68

Forgot about the control port part of this.

comment:28 Changed 8 years ago by mikeperry

Keywords: MikePerryIteration20110814 added

comment:29 Changed 8 years ago by mikeperry

Actual Points: 8
Resolution: Nonefixed
Status: assignedclosed

Alright this is finished. Here is the list of things done:

  1. Tag all tabs as non-tor
  2. Disables Javascript and plugins on all tabs
  3. Clears state:
    1. OCSP
    2. Cache
    3. Site-specific zoom
    4. Cookies+DOM Storage+safe browsing key
    5. google wifi geolocation token
    6. http auth
    7. SSL Session IDs
    8. last open location url
  4. Sends tor the NEWNYM signal to get a new circuit

We still need to do a little better job SSL state, in particular intermediate certificates are not yet properly cleared. See #2739 for that.

comment:30 Changed 8 years ago by mikeperry

Oh, it also closes all tabs, in addition to tagging and disabling them.

Note: See TracTickets for help on using tickets.