wiki:org/meetings/2018Rome/Notes/FusionProject

Fusion Project overview

Facilitator: Ethan Tseng

Tor Uplift project

  • Tor Browser based on Firefox ESR, plus a lot of patches. Takes a lot of time to rebase patches.
  • Mission was to reduce their efforts. Mozilla started bringing Tor Browser patches into Firefox.
  • Successful new features in Tor Browser/Firefox in the last 1.5 years: First-party isolation, and fingerprinting resistance.

First Party Isolation, off by default in Firefox. Fingerprinting resistance issue, breaks some websites.

Fusion Project goals

  • Fingerprinting resistance, make more user friendly and reduce web breakage
  • Implement proxy bypass framework
  • Figure out the best way to integrate Tor proxy into Firefox
  • Real private browsing mode in Firefox: Will turn on First Party Isolation, Fingerprinting Resistance, and Tor proxy

---> Real private browsing mode is basically Tor Browser, but inside Firefox.

Things that Tor Browser has that Firefox private browsing mode won't:

  • Security slider
  • Circuit display
  • HTTPS Everywhere, NoScript
  • Tor Launcher
  • Pluggable transports
  • Misc. other things

What features of Tor will Firefox's implementation include? Don't have a firm plan. Will probably want to implement most of Tor, but latest versions of protocols (v3 onion services, etc.).

Scalable is a huge concern of Mozilla's, since there will be way more Tor users using Mozilla's implementation. No firm solution, maybe Mozilla donating to nonprofits that run relays.

How many more "super private browsing mode" Firefox users will there be? Potentially hundreds of millions of daily users.

Potential for sharing Tor client implementation code between tor and Firefox.

Mozilla wants to standardize the spec for the Tor client, open documentation. Benefits: other people looking at your protocol; wider friendlier IPR policies for people implementing the protocol.

Mozilla will write protocol conformance tests.

tor-dev mailing list would be good place for Mozilla to communicate with Tor about the work. Tor client implementation, Mozilla will probably mainly interact with networking team, and for browser implementation mainly interact with browser team. Might want to talk to Tor metrics team.

Private telemetry, how will Firefox do it? Firefox's problem with fingerprintability is website breakage, balancing with usability.

Fusion Project is basically an experiment right now, extra important to ensure that it works well, doesn't harm usability, to convince people late on to ship it within Firefox. But reassure: Fusion has support at the Director and CTO level, this is a feature Mozilla's competitors won't implement.

Ultimate eventual goal: Make Tor Browser obsolete, so Tor Project can focus on research instead of maintaining a fork of Firefox.

Whether there will be two private browsing modes is to be determined.

Not decided yet if tor client will be a separate process or integrated as library. Want the private browsing renderer to be a separate process to isolate itself from non-private renderers.

Mozilla is doing user studies on fingerprintability, hopefully to see if they can include fingerprint resistance in standard Firefox.

Reference: https://wiki.mozilla.org/Security/Fusion

Last modified 3 months ago Last modified on Mar 12, 2018, 9:01:29 PM