Opened 5 years ago

Last modified 15 months ago

#6549 new project

Implement "Do Not Track" as privacy-by-design

Reported by: mikeperry Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: SponsorZ-large, tbb-firefox-patch
Cc: g.koppen@…, runa, michael, cass Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by mikeperry)

The purpose of Tor Browser is to build a private-by-design reference implementation of "Do Not Track", but through the alteration of browser behavior and without the need for regulation or begging. See also: https://blog.torproject.org/blog/improving-private-browsing-modes-do-not-track-vs-real-privacy-design

We've done this by taking the basic ideas of "Do Not Track" and defining them as privacy properties in terms of linkability between domains:
https://www.torproject.org/projects/torbrowser/design/#privacy

Here's the current list of known violations of the identifier linkability:

Ticket Component Priority Type Summary Owner
#3600 Applications/Tor Browser High defect Prevent redirects from transmitting+storing cookies+identifiers tbb-team
#9336 Applications/Tor Browser High defect Odd wyswig schemes without isolation for browserspy.dk tbb-team
#9783 Applications/Tor Browser High defect New Identity does not always clear all OCSP/favicon related network activity tbb-team
#12609 Applications/Tor Browser High defect HTML5 fullscreen API makes TB fingerprintable, disable it! mikeperry
#12683 Applications/Tor Browser High defect Permissions in nsIPermissionManager aren't cleared with TorButton's "New Identity" tbb-team
#14952 Applications/Tor Browser High task Audit HTTP/2 and SPDY if needed tbb-team
#15499 Applications/Tor Browser High defect Onion sites circuits are not properly isolated to URL bar domain tbb-team
#15563 Applications/Tor Browser High defect ServiceWorkers violate first party isolation, probably tbb-team
#15599 Applications/Tor Browser High defect Range requests used by pdfjs are not isolated to URL bar domain pospeselr
#16335 Applications/Tor Browser High task Investigate whether the Symbol data type can store global identifiers accessible to content tbb-team
#16920 Applications/Tor Browser High defect Referer Header should be disabled for new tabs tbb-team
#17965 Applications/Tor Browser High defect Isolate HPKP and HSTS to url bar domain tbb-team
#19417 Applications/Tor Browser High defect asm.js files should be no linkability risk tbb-team
#21559 Applications/Tor Browser High defect Tor browser deanonymization/fingerprinting via cached intermediate CAs tbb-team
#22100 Applications/Tor Browser High defect Triggering the external helper dialog leads sometimes to requests going over the catch-all circuit tbb-team
#22343 Applications/Tor Browser High defect Save as... in the context menu results in using the catch-all circuit arthuredelstein
#22649 Applications/Tor Browser High defect Save Link As... in the context menu results in using the catch-all circuit tbb-team
#23210 Applications/Tor Browser High defect Favicons are getting reloaded over catch-all-circuit if content process crashes tbb-team
#2877 Applications/Tor Browser Medium defect Prevent TLS state from accumulating in Tor Browser tbb-team
#4335 Applications/Tor Browser Medium enhancement Per-urlbar domain plugin control tbb-team
#5288 Applications/Tor Browser Medium defect Clickjacking + popups subvert TBB url-bar isolation tbb-team
#10824 Applications/Tor Browser Medium defect Using Firefox UI to remember history disables third party tracking/cookie protection tbb-team
#12682 Applications/Tor Browser Medium enhancement Tor Browser's HTML5 canvas fingerprinting dialogue could use a "Revoke" button tbb-team
#13236 Applications/Tor Browser Medium defect investigate Firefox SSL for things that might allow user tracking tbb-team
#15569 Applications/Tor Browser Medium defect Web Notification API icons get no first party tbb-team
#15954 Applications/Tor Browser Medium defect Canvas permission and HTTP auth still use FQDN isolation tbb-team
#16285 Applications/Tor Browser Medium task Make sure EME is no tracking risk in Tor Browser tbb-team
#16693 Applications/Tor Browser Medium defect Isolate TLS Channel-Bound Cookies tbb-team
#17123 Applications/Tor Browser Medium defect Request for certificate is sent over the catch-all circuit tbb-team
#17244 Applications/Tor Browser Medium defect Low entropy PRNG usage in Tor Browser? tbb-team
#17252 Applications/Tor Browser Medium enhancement Confirm TLS session resumption/ID are isolated to the URL bar domain, and re-enable them tbb-team
#18532 Applications/Tor Browser Medium defect Now search.disconnect.me through catchall too tbb-team
#19037 Applications/Tor Browser Medium defect Suppress content access to page visibility API tbb-team
#19520 Applications/Tor Browser Medium task Investigate "No last modified time" entries visible in about:cache tbb-team
#19741 Applications/Tor Browser Medium defect favicon in searchbar popup uses catchall circuit tbb-team
#19921 Applications/Tor Browser Medium defect Tor Browser: improper handling of 404 Not Found images tbb-team
#20256 Applications/Tor Browser Medium defect Cloudfront resources are isolated to the FQDN tbb-team
#20317 Applications/Tor Browser Medium defect Key permissions by first-party domain instead of origin (proposal) tbb-team
#20328 Applications/Tor Browser Medium defect No cookies are visible, except... tbb-team
#20393 Applications/Tor Browser Medium defect Something uses catchall circuit tbb-team
#21347 Applications/Tor Browser Medium enhancement Retrying a download breaks URL bar domain isolation tbb-team
#21657 Applications/Tor Browser Medium task Test to make sure we isolate or disable all speculative connects tbb-team
#21793 Applications/Tor Browser Medium task Keep an eye on the CustomElementRegistry API tbb-team
#22538 Applications/Tor Browser Medium defect Changing circuit for page with error switches catch-all circuit instead tbb-team
#23216 Applications/Tor Browser Medium defect The `languagechange` event is noticeable on all open tabs tbb-team
#23768 Applications/Tor Browser Medium defect Update code to wipe indexedDB in New Identity tbb-team
#24553 Applications/Tor Browser Medium enhancement Re-enable Alternate Services tbb-team
#8213 Applications/Tor Browser Low defect spoof history.length - browser.sessionhistory.max_entries tbb-team
#22162 Applications/Tor Browser Low defect Review speculative connections tbb-team


Here's the current list of known violations of fingerprinting linkability:

Ticket Component Priority Type Summary Owner
#6119 Applications/Quality Assurance and Testing Very High project Create our own instance of Panopticlick boklm
#13017 Applications/Tor Browser Very High task Determine if AudioBuffers/OfflineAudioContext are a fingerprinting vector arthuredelstein
#17175 Applications/Tor Browser Very High defect Site is able to detect locale in some way tbb-team
#23227 Applications/Tor Browser Very High task Automatically deny canvas request and don't show this message tbb-team
#1623 Applications/Tor Browser High enhancement Block protocol handler enumeration tbb-team
#2940 Applications/Tor Browser High enhancement Adapt browser time based on tor's notion of clock skew... tbb-team
#4810 Applications/Tor Browser High enhancement Weird screen sizes reported by Panopticlick mikeperry
#5666 Applications/Tor Browser High defect Hook MediaElement for Full Screen Mode tbb-team
#5798 Applications/Tor Browser High defect Improve persistence and WebFont compatibility of font patch tbb-team
#8770 Applications/Tor Browser High task Verify that @font-face fallback fonts can't be probed tbb-team
#11333 Applications/Tor Browser High task Audit requestAnimationFrame() and possible timing attacks tbb-team
#12609 Applications/Tor Browser High defect HTML5 fullscreen API makes TB fingerprintable, disable it! mikeperry
#12977 Applications/Tor Browser High defect Fix Firefox's Full Screen Permissions Prompt tbb-team
#13400 Applications/Tor Browser High defect Canvas Fingerprinting: fonts tbb-team
#14205 Applications/Tor Browser High task Closely review all uses of IsCallerChrome() for e10s mcs
#14390 Applications/Tor Browser High defect Browser configuration fingerprinting tbb-team
#16339 Applications/Tor Browser High task Make sure the ImageCapture API is not leaking information (camera availability) tbb-team
#16341 Applications/Tor Browser High task Investigate fingerprinting potential of CanvasRenderingContext2D.filter tbb-team
#18044 Applications/Tor Browser High defect Prompt if Tor Browser is zoomed tbb-team
#18364 Applications/Tor Browser High defect Tor Browser in Gnu+Linux doesn't support Dingbats properly tbb-team
#18500 Applications/Tor Browser High task Investigate impact of fingerprinting via getClientRects() tbb-team
#18599 Applications/Tor Browser High task Make sure OffScreenCanvas API does not render moot our canvas fingerprinting protection tbb-team
#18860 Applications/Tor Browser High defect Reply button text and text editing Dingbats in Trac are not visible on Gnu+Linux TBB tbb-team
#20941 Applications/Tor Browser High defect Tor browser will resize it self after the dock is enabled and the browser is dragged to a new location arthuredelstein
#21559 Applications/Tor Browser High defect Tor browser deanonymization/fingerprinting via cached intermediate CAs tbb-team
#21785 Applications/Tor Browser High task Keep an eye on the Storage API tbb-team
#21787 Applications/Tor Browser High task Make sure exposing the calendar information does not leak the locale tbb-team
#22137 Applications/Tor Browser High defect Provide the same scrollbar size across different platforms tbb-team
#22919 Applications/Tor Browser High defect Form tracking and OS fingerprinting (only Windows, but without Javascript) tbb-team
#23424 Applications/Tor Browser High defect Stop exposing the moz-icon URL scheme to the web tbb-team
#24056 Applications/Tor Browser High defect UI locale is detectable by button width tbb-team
#6065 Applications/Tor Browser Medium defect TBB does strange things to fonts on Windows 7 mikeperry
#6217 Applications/Tor Browser Medium defect Mozilla updates queries happen at regular intervals tbb-team
#7256 Applications/Tor Browser Medium project Explore zoom-based alternatives to fixed window sizes tbb-team
#7588 Applications/Tor Browser Medium task Determine what features are affected by "Hardware Acceleration" and how tbb-team
#7921 Applications/Tor Browser Medium enhancement Remove/hide fingerprintable UI options tbb-team
#9189 Applications/Tor Browser Medium defect Tor Browser forgets zoom level tbb-team
#9451 Applications/Tor Browser Medium defect de-anonymisation by readable @font-face CSS attribute - TBB settings update tbb-team
#9484 Applications/Tor Browser Medium enhancement Allow setting of window dimensions in TBB tbb-team
#10299 Applications/Tor Browser Medium task Check whether font feature properties are problematic
#11935 Applications/Tor Browser Medium defect Strange fallback font behavior on Mac and Windows mikeperry
#12995 Applications/Tor Browser Medium defect default font seems seems to leak system locale information tbb-team
#12999 Applications/Tor Browser Medium enhancement Use one clock skew per URL bar domain tbb-team
#13018 Applications/Tor Browser Medium defect Math routines are OS fingerprintable tbb-team
#13052 Applications/Tor Browser Medium defect Torbrowser window size/rendering issue tbb-team
#13543 Applications/Tor Browser Medium defect HTML5 media support may lead to OS fingerprinting tbb-team
#13575 Applications/Tor Browser Medium defect Disable randomised Firefox HTTP cache decay user test groups tbb-team
#14098 Applications/Tor Browser Medium defect TBB still doesn't round windows in some cases tbb-team
#14429 Applications/Tor Browser Medium defect Automated rounding of content window dimensions arthuredelstein
#15473 Applications/Tor Browser Medium defect JS Date object reveals OS type tbb-team
#15474 Applications/Tor Browser Medium defect Quantize innerWidth/Height when pages are zoomed tbb-team
#16110 Applications/Tor Browser Medium defect Improve Time Resolution Defense mikeperry
#16312 Applications/Tor Browser Medium defect Limit font queries per URL bar domain arthuredelstein
#16364 Applications/Tor Browser Medium defect Add an option to resize the browser window to the "safe default" tbb-team
#16456 Applications/Tor Browser Medium defect screen size fingerprint with findbar panel/bookmarks toolbar tbb-team
#16473 Applications/Tor Browser Medium task Investigate WebGL highp precision prevalence tbb-team
#16672 Applications/Tor Browser Medium defect Text rendering allows font fingerprinting arthuredelstein
#16678 Applications/Tor Browser Medium enhancement Enhance KeyboardEvent fingerprinting protection for unusual characters sysrqb
#16686 Applications/Tor Browser Medium defect Migrate all font fingerprinting patches to tor-browser.git arthuredelstein
#16724 Applications/Tor Browser Medium defect Tor Browser 5.0a4 crashes with fonts.conf file tbb-team
#16739 Applications/Tor Browser Medium enhancement Whitelist fonts by filename rather than font name tbb-team
#16740 Applications/Tor Browser Medium defect Font defense in 5.0a4 crashes OS X 10.6.8 tbb-team
#16757 Applications/Quality Assurance and Testing Medium defect Verify that new DOM properties are really disabled boklm
#17023 Applications/Tor Browser Medium defect Investigate fingerprinting of mouse/pointing events tbb-team
#17061 Applications/Tor Browser Medium defect Enforcement of browser window size breaks in xmonad tbb-team
#17355 Applications/Tor Browser Medium defect Investigate whether we should re-implement methods of JS Date to avoid fingerprinting tbb-team
#17412 Applications/Tor Browser Medium defect High-precision timestamps in JS tbb-team
#17431 Applications/Tor Browser Medium defect Investigate attacks in fingerprinting paper tbb-team
#17999 Applications/Tor Browser Medium defect Changed default GUI font might help fingerprinting JA Windows users tbb-team
#18097 Applications/Tor Browser Medium defect Font fingerprinting defenses roadmap (parent ticket) tbb-team
#18172 Applications/Tor Browser Medium defect Emoji support is broken in Tor Browser 5.5 tbb-team
#18205 Applications/Tor Browser Medium defect Restrict font whitelist patch to apply only to non-chrome contexts? tbb-team
#18273 Applications/Tor Browser Medium defect CSS animations provide high resolution timer tbb-team
#18283 Applications/Tor Browser Medium defect Usage of native GUI controls for web content rendering allows fingerprinting tbb-team
#18376 Applications/Tor Browser Medium defect Accessibility APIs in Firefox tbb-team
#18559 Applications/Tor Browser Medium defect Number of logical processors is detectable from web content tbb-team
#18560 Applications/Tor Browser Medium defect WEBGL_debug_renderer_info extension may leak information about graphics driver tbb-team
#18946 Applications/Tor Browser Medium defect Investigate fingerprinting potential of lack of H.264 support tbb-team
#19263 Applications/Tor Browser Medium defect Tor browser is not rounding the width correctly in tiling WMs tbb-team
#20025 Applications/Tor Browser Medium defect document.characterSet enables fingerprinting of localization (only with HSTS?) tbb-team
#20820 Applications/Tor Browser Medium enhancement Add font support for Shift-JIS tbb-team
#21233 Applications/Tor Browser Medium defect There is no warning when resizing the tor browser window from its edges tbb-team
#21331 Applications/Tor Browser Medium defect Incorrect default browser window size for ver6.5 on 1024 x 768 resolution screens. tbb-team
#21341 Applications/Tor Browser Medium defect Screen size not rounding if Windows not at default DPI_TBB 6.5 tbb-team
#21426 Applications/Tor Browser Medium enhancement Make sure keyup events don't leak underlying keyboard layout tbb-team
#21455 Applications/Tor Browser Medium defect Inconsistent New Window height on multiple monitors (Windows) tbb-team
#21945 Applications/Tor Browser Medium defect Fix initial window size on Linux tbb-team
#22070 Applications/Tor Browser Medium task Check whether we need to update our font whitelist for ESR52 tbb-team
#22125 Applications/Tor Browser Medium enhancement Unit test for js locale tbb-team
#22127 Applications/Tor Browser Medium enhancement Think about a more elaborate defense against fingerprinting with `hardwareConcurrency` tbb-team
#22130 Applications/Tor Browser Medium defect Use an "international" formatting for Dates etc, instead of US English locale tbb-team
#22333 Applications/Tor Browser Medium task Think about a way to restrict WebGL2 to a minimal mode tbb-team
#22548 Applications/Tor Browser Medium defect Firefox downgrades VP9 videos to VP8 when measured performance is not enough tbb-team
#22614 Applications/Tor Browser Medium defect Make e10s/non-e10s Tor Browsers indistinguishable tbb-team
#22756 Applications/Tor Browser Medium defect Only show Canvas fingerprinting prompt when there is a user interaction? tbb-team
#22757 Applications/Tor Browser Medium defect How fingerprintable is Canvas after font whitelisting is enforced? tbb-team
#22787 Applications/Tor Browser Medium defect Fontconfig warning: remove 'blank' configuration tbb-team
#22952 Applications/Tor Browser Medium defect Tor Browser Arabic Fonts Issue ! tbb-team
#23317 Applications/Tor Browser Medium defect Update font whitelists to reflect any changed Firefox default fonts tbb-team
#23550 Applications/Tor Browser Medium defect layout.css.devPixelsPerPx should be integer tbb-team
#23627 Applications/Tor Browser Medium defect Filter device power management keyboard events? tbb-team
#24383 Applications/Tor Browser Medium defect Window rounding is broken on Debian 9 live with mutter tbb-team
#24615 Applications/Tor Browser Medium enhancement Resize window in 50 pixel steps tbb-team
#22632 Applications/Tor Browser Low defect The scrollbar in TBB is enabled and disabled based on a setting in macOS system preferences tbb-team


Child Tickets

Change History (11)

comment:1 Changed 5 years ago by gk

Cc: g.koppen@… added

Hmmm, I wonder how your list above fits to the Torbrowser design document. E.g.

"Design Goal: DOM storage for third party domains MUST be isolated to the url bar origin, to prevent linkability between sites."

But there is no such ticket mentioned in your description. My question propbably boils down to whether disabling features counts as a solution. That does not seem to be the case as you explicitly mentioned the 3rd party cookie patch in the description while having 3rd party cookies disabled in the current bundles. Thus, I guess tickets for applying the double keying to DOM storage, SSL Session IDs (3.5.6)... are "just" missing...

comment:2 Changed 5 years ago by mikeperry

Yeah, there should be a ticket for DOM storage and other things that provide functionality to sites (hence I would call these 'major' bugs). We can live without things like SSL session IDs without much more than performance impact (hence I would call this 'normal').

Please feel free to file whatever tickets you notice are missing and tag them with tbb-linkability or tbb-fingerprinting and we'll prioritize them appropriately. I'll do one for DOM storage right now.

comment:3 Changed 5 years ago by mikeperry

Keywords: SponsorZ-large added; SponsorZ removed

comment:4 Changed 5 years ago by mikeperry

The same developer here could also work on items from #6548, but if the browser vendors entirely ignore privacy-by-design, this ticket will also need additional development assistance in the long run.

comment:5 Changed 5 years ago by mikeperry

Description: modified (diff)

comment:6 Changed 5 years ago by runa

Cc: runa added

comment:7 Changed 5 years ago by mikeperry

From the FTC's report on DNT, page 53 (PDF page 69):
http://www.ftc.gov/os/2012/03/120326privacyreport.pdf

"The Commission commends recent industry efforts to improve consumer control over behavioral tracking and looks forward to final implementation. As industry explores technical options and implements self-regulatory programs, and Congress examines Do Not Track, the Commission continues to believe that in order to be effective, any Do Not Track system should include five key principles:

First, a Do Not Track system should be implemented universally to cover all parties that would track consumers. Second, the choice mechanism should be easy to find, easy to understand, and easy to use. Third, any choices offered should be persistent and should not be overridden if, for example, consumers clear their cookies or update their browsers. Fourth, a Do Not Track system should be comprehensive, effective, and enforceable. It should opt consumers out of behavioral tracking through any means and not permit technical loopholes. Finally, an effective Do Not Track system should go beyond simply opting consumers out of receiving targeted advertisements; it should opt them out of collection of behavioral data for all purposes other than those that would be consistent with the context of the interaction (e.g., preventing click-fraud or collecting de-identified data for analytics purposes)."

While we don't meet all of those right now (we miss #2 due to tbb-usability bugs, and #3 due to our lack of updater, and #4 due to the above bugs in this ticket's description), there's no technical reason we couldn't meet them all. However, the task is impossible for the actual DNT:1 header. In particular, there's no way for DNT:1 to ever satisfy requirements #1 or #4 (and arguably even #5).

See also my submission to http://www.w3.org/2012/dnt-ws/papers.html at:
http://www.w3.org/2012/dnt-ws/position-papers/21.pdf

comment:8 Changed 3 years ago by erinn

Keywords: tbb-firefox-patch added

comment:9 Changed 3 years ago by erinn

Component: Firefox Patch IssuesTor Browser
Owner: changed from mikeperry to tbb-team

comment:10 Changed 3 years ago by michael

Cc: michael added

comment:11 Changed 15 months ago by cass

Cc: cass added
Severity: Normal

This ticket is tagged SponsorZ, but it looks like progress stalled a while ago and its path forward is unclear. Is this still an open issue? Do we still want to seek funding for it?

Note: See TracTickets for help on using tickets.