wiki:org/meetings/2018MexicoCity/Notes/IntegratingTorOtherBrowsers

browser Privacy Test:

Testing other browsers by specific privacy test make privacy across browser objective Every browser claims it's "good" about privacy, how do users compare them? browserprivacy.net -> browserprivacy.net/tests.html

  • Three categories of tests:
  • tor connectivity
  • cookies (super cookies)
  • Fingerprinting
  • This is very technical, provide a higher-level activist focused matrix
  • Currently run manually, running nightly build tests would be better
  • Can panopticlick use or benefit from this?
  • Feedback to OpenWPM?

Brave has a Private Tab that uses Tor

  • Began 1 year ago
  • Added "Private Tab with Tor"
  • Reduce fingerprinting
  • Disable leaky features (webrtc, etc)
  • Starts Tor when the first Private Tab with Tor is created
  • This tab tries to match most users expectations of a Private Tab
  • Make anonymous micropayments more profitable than website ads
  • In the future, add PT support
  • Possibly separate Tor support from Private Tabs (maybe use Tor support in normal tabs, too)

Cliqz:

  • Uses Firefox
  • Adds "Forget Mode", rather than Private Mode
  • Adds automatic Forget Mode if it decides a website should be opened in a forget mode
  • In the future, move services to onion services
  • Currently internal testing of beta version
  • Cliqz uses Firefox release rather than ESR (opens possible proxy-bypass)
  • Testing for proxy-bypass manually
  • Future PT support

When Tor Project are contacted about Tor support:

"Tor" means many different things

Browser, network, program, etc

Tor Browser is more than a browser that routes traffic over the Tor network

Fingerprinting protections, privacy protections, etc

If another browser integrates Tor, calling it "Tor Mode" would be misleading

"Onion mode" or "Private Tabs with Tor" are options

What features must a browser support before the Tor Project is comfortable with another browser having a "Tor Mode"?

We should use the Browser Privacy Tests

  • It's a starting point

EFF have a lot of history of browser fingerprinting from panopticlick Maybe panopticlick compares the browser against Tor Browser

Users can be fingerprinted by the version of their browser (UAS, available features, configurations, etc)

How can The Tor Project help the other browsers?

Automated tests, and check-list is very helpful for knowing what is needed/expected

What is changing between Tor Browser and FF Release/Nightly?

What should be communicated to the user about the Tor mode?

Onion UI should be similar/standardized across browsers

Brave fails hard .onion address resolution Cliqz uses the blockdotonion pref

Looking at browserleaks.com, too

Better explanation why someone should choose a browser with tor support vs. tor browser

Better explanation why Tor is different/better/worse than a VPN

Better documentation around this - FAQ? Training?

Last modified 2 months ago Last modified on Oct 2, 2018, 4:46:13 AM