Changes between Initial Version and Version 1 of org/meetings/2018MexicoCity/Notes/SandboxedTorBrowser


Ignore:
Timestamp:
Oct 1, 2018, 5:11:45 PM (9 months ago)
Author:
eighthave
Comment:

added notes

Legend:

Unmodified
Added
Removed
Modified
  • org/meetings/2018MexicoCity/Notes/SandboxedTorBrowser

    v1 v1  
     1Tor Browser sandboxing and Tor launcher for all supported platforms
     2
     3Facilitator: sysrqb
     4
     5* Firefox is huge, complicated codebase
     6* history has shown this means exploits can be targetted at Tor Browser
     7* there was a prototype, "Sandboxed Tor Browser", time to revive it!
     8
     9    https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Sandbox/Linux
     10
     11
     12How Tor Browser is structured
     13* TorLauncher runs in Firefox, and TorLauncher launches tor
     14* That means exploits in Firefox could then reach tor itself
     15
     16How Sandboxed Tor Browser is structured
     17* TorLauncher starts first, it starts Firefox and tor separately
     18* Firefox is sandboxed, and isolated from the system with no direct internet access
     19
     20Mozilla didn't like that design, too complicated, better handled by isolating components within Firefox itself
     21Tor devs weren't entirely convinced that this might still be worth it
     22
     23The big downside is that only one set of sandboxing can apply at the OS level, so the Sandbox Tor Browser setup would disable the Firefox component sandboxing.
     24
     25* Android is quite different, but lots of it is already provided by running Tor and Firefox as separate apps
     26* UNIX domain sockets are considered network, so removing network permission from Firefox means it cannot communicate with tor
     27* Android Binder interface and cross-process InputStreams might be a possisibilities
     28
     29There isn't really something that we can see that would work on iOS.
     30
     31X11 is a big problem here, but too big a problem for us to fix, so ignore it for now
     32
     33Flatpak provides good, transparent sandboxing, the Tor Browser design should work with Flatpak
     34
     35Tor Browser was using only a domain socket in alpha, but was switched back due to breakage. This still a promising idea.
     36
     37Could TorBrowser unpack Firefox each time the starts?  No go on MacOS or Android, but maybe Windows and GNU/Linux.
     38This would help remove issues where exploit gets write, that can't convert to execute via writing to Firefox files.