[tor-bugs] #10400 [TorBrowserButton]: Provide "New Identity" option that uses session restore
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Dec 23 10:36:42 UTC 2013
#10400: Provide "New Identity" option that uses session restore
----------------------------------+---------------------------------------
Reporter: mikeperry | Owner: mikeperry
Type: enhancement | Status: new
Priority: major | Milestone:
Component: TorBrowserButton | Version:
Resolution: | Keywords: tbb-usability, tbb-newnym
Actual Points: | Parent ID:
Points: |
----------------------------------+---------------------------------------
Comment (by gk):
Replying to [comment:7 mikeperry]:
> Replying to [comment:4 gk]:
> > Replying to [comment:3 gk]:
> > > Replying to [ticket:10400 mikeperry]:
> > > > People routinely request a New Identity option that doesn't close
all of their tabs. Unfortunately, this is not really possible to implement
while still clearing all of the tracking-related browser state.
> > >
> > > What blockers do you have in mind if one tries to take that road?
> >
> > After thinking a while about it I suppose I should be more precise
with my question: What issues do you have in mind that are solvable by the
session restore approach but not by leaving tabs open after clearing
tracking-related browser state?
>
> The session restore approach defends against invisible tracking. If we
left tabs live and fully open while clearing the cache, cookies, HTTP
auth, etc, then javascript and other dynamic elements (CSS) are still
present and still have access to any dynamically generated identifiers,
and these identifiers will easily find their way back into the cache, and
have a number of other vectors to embed persistent tracking identifiers
that are invisible to the user.
Indeed. What I had in mind was something which avoids that but keeps the
tabs with the visited domains/web pages open (or better: reloads them?)
(without any identifiers in them). The user would then be kicked out of,
say, a forum but would not loose the tab with the landing page loaded or
the news in another one. Not sure if that is even more confusing to users
though (they might ask "Hey, why am I not logged into Google anymore but
still on its webpage??") but it sounds reasonable to me as "New Identity"
means you can't be logged into a forum anymore after clicking on that
button but should not have a huge impact on your open news sites.
> In theory, adversaries could encode identifiers in the first party urls
stored in the session store. However, if we only allow url bar urls to be
stored (and no cache, DOM storage, etc), then such tracking is at least
limited to what is visible, and only to first party tracking (and
hopefully that will be rare, due to its visibility and cumbersome nature).
Hmm... I am not happy with that. The spec says "All linkable identifiers
and browser state MUST be cleared by this feature." Implementing what you
have in mind would be a regression in this regard, then, compared to
today. While the spec could be changed to something less strict I'd be
especially cautious here as this feature is necessary to avoid tracking
which is usually hard to avoid. What about the idea above (regardless
whether it is implemented via session restore or something like "keep the
tabs open but reload the web pages without identifiers in them")?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10400#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list