Changes between Initial Version and Version 1 of org/meetings/2018MexicoCity/Notes/SandboxedTorBrowser

Oct 1, 2018, 5:11:45 PM (9 months ago)

added notes


  • org/meetings/2018MexicoCity/Notes/SandboxedTorBrowser

    v1 v1  
     1Tor Browser sandboxing and Tor launcher for all supported platforms
     3Facilitator: sysrqb
     5* Firefox is huge, complicated codebase
     6* history has shown this means exploits can be targetted at Tor Browser
     7* there was a prototype, "Sandboxed Tor Browser", time to revive it!
     12How Tor Browser is structured
     13* TorLauncher runs in Firefox, and TorLauncher launches tor
     14* That means exploits in Firefox could then reach tor itself
     16How Sandboxed Tor Browser is structured
     17* TorLauncher starts first, it starts Firefox and tor separately
     18* Firefox is sandboxed, and isolated from the system with no direct internet access
     20Mozilla didn't like that design, too complicated, better handled by isolating components within Firefox itself
     21Tor devs weren't entirely convinced that this might still be worth it
     23The big downside is that only one set of sandboxing can apply at the OS level, so the Sandbox Tor Browser setup would disable the Firefox component sandboxing.
     25* Android is quite different, but lots of it is already provided by running Tor and Firefox as separate apps
     26* UNIX domain sockets are considered network, so removing network permission from Firefox means it cannot communicate with tor
     27* Android Binder interface and cross-process InputStreams might be a possisibilities
     29There isn't really something that we can see that would work on iOS.
     31X11 is a big problem here, but too big a problem for us to fix, so ignore it for now
     33Flatpak provides good, transparent sandboxing, the Tor Browser design should work with Flatpak
     35Tor Browser was using only a domain socket in alpha, but was switched back due to breakage. This still a promising idea.
     37Could TorBrowser unpack Firefox each time the starts?  No go on MacOS or Android, but maybe Windows and GNU/Linux.
     38This would help remove issues where exploit gets write, that can't convert to execute via writing to Firefox files.