[tor-bugs] #22089 [Applications/Tor Browser]: Add Decentraleyes to slighten off a bit Exit traffic and work around some CDNs blocking of Tor
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Jun 30 22:09:22 UTC 2018
#22089: Add Decentraleyes to slighten off a bit Exit traffic and work around some
CDNs blocking of Tor
-------------------------------------------------+-------------------------
Reporter: imageverif | Owner: tbb-
| team
Type: enhancement | Status:
| needs_review
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-usability-website, tbb- | Actual Points:
performance |
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by cypherpunks):
> analyze the proposed privacy, security, and performance gains adding
$extension to Tor Browser, especially compared to the privacy, security,
etc. means Tor Browser *already* offers. Please, include the downsides of
adding $extension to the browser as well (our design document might help).
gk will take some time before adding that into the TB design document so
I'll go ahead now:
---------
# Compatibility
The proposed extension is a WebExtension that is compatible with the FF60
ESR release.
# Gains
## Privacy gains
There are no crucial privacy gains compared to what the Tor Browser
already offers.
## Security gains
Since the proposed extension will fetch libraries locally, this helps in
rare cases in which CDN providers are hacked and used to serve
malicious/junk/cryptojacking code (see [1] for a recent example that
doesn't apply in this case, but just to illustrate the point).
Some CDN endpoints don't support HTTPS[2], and some website operators user
them. With the proposed extension this problem will be addressed since the
fetch won't happen and libraries will be served locally.
## Performance gains
Since the proposed extension will fetch libraries locally, this will help
significantly in time load to fetch said libraries from the known CDN
endpoints, especially in mobile devices with TBA.
This performance gain will apply to the Tor network itself, though it will
be very small and limited.
## Usability gains
Some CDN endpoints block Tor exit nodes, with this extension this problem
can be solved since the resources will be fetched locally.
-------
# Downsides
## Usability downsides
Some redirects by the proposed extension fail when a website assigns the
"crossorigin" attribute to a script element that references an injectable
resource. The relevant issue is not fixed on FF60, but has received a
design approval from Mozilla developers.[3][4] That said the extension has
a whitelist of such domains to prevent the said issue from occurring in
the first place,[5] and there are proposed methods to detect sufficiently
enough of these domains.[6] The developer of the extension further adds:
The plan is to completely get rid of the list of tainted domains. That
said, since older versions of Firefox will not magically disappear, and
vendors of other web browsers might not approve the necessary API changes,
being able to detect tainted domains will likely stay relevant.[6]
## Security downsides
There are no known security downsides.
## Performance downsides
There are no known performance downsides.
Moreover, there is no significant memory footprint since only a list of
dozens of URLs[5][7] is cached, unlike HTTPS Everywhere for instance.
## Privacy downsides
Decentraleyes usage may be detected with JS but that will be harmless if
everyone already has it, so no privacy concerns to note.
----------
[1] : https://scotthelme.co.uk/protect-site-from-cryptojacking-csp-sri/
[2] : Such as
https://git.synz.io/Synzvato/decentraleyes/blob/master/core/mappings.js#L268
[3] : https://git.synz.io/Synzvato/decentraleyes/issues/16#note_3620
[4] : https://bugzilla.mozilla.org/show_bug.cgi?id=1419459
[5] :
https://git.synz.io/Synzvato/decentraleyes/blob/master/core/interceptor.js#L53
[6] : https://git.synz.io/Synzvato/decentraleyes/issues/294
[7] :
https://git.synz.io/Synzvato/decentraleyes/blob/master/core/mappings.js
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22089#comment:18>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list