[tor-commits] [tor-browser-spec/master] More comments from Georg Koppen.
mikeperry at torproject.org
mikeperry at torproject.org
Mon Apr 28 15:18:48 UTC 2014
commit 42773edf4493021f9c28e960479ad92d34d5759d
Author: Mike Perry <mikeperry-git at fscked.org>
Date: Fri Oct 7 13:23:41 2011 -0700
More comments from Georg Koppen.
---
docs/design/design.xml | 36 ++++++++++++++++++++----------------
1 file changed, 20 insertions(+), 16 deletions(-)
diff --git a/docs/design/design.xml b/docs/design/design.xml
index cfb8a01..91b74a6 100644
--- a/docs/design/design.xml
+++ b/docs/design/design.xml
@@ -23,7 +23,7 @@
<address><email>sjmurdoch#torproject org</email></address>
</affiliation>
</author>
- <pubdate>Oct 6 2011</pubdate>
+ <pubdate>Oct 7 2011</pubdate>
</articleinfo>
<!--
@@ -403,14 +403,14 @@ store their browsing history information to disk.
</para></listitem>
<listitem><command>Application Data Isolation</command><para>
-The components involved in providing private browsing MUST BE self-contained,
+The components involved in providing private browsing MUST be self-contained,
or MUST provide a mechanism for rapid, complete removal of all evidence of the
use of the mode. In other words, the browser MUST NOT write or cause the
operating system to write <emphasis>any information</emphasis> about the use
of private browsing to disk outside of the application's control. The user
must be able to ensure that secure removal of the software is sufficient to
remove evidence of the use of the software. All exceptions and shortcomings
-due to operating system behavior MUST BE wiped by an uninstaller. However, due
+due to operating system behavior MUST be wiped by an uninstaller. However, due
to permissions issues with access to swap, implementations MAY choose to leave
it out of scope, and/or leave it to the user to implement encrypted swap.
@@ -438,7 +438,7 @@ the descriptions in the <link linkend="Implementation">implementation
section</link>, a <command>url bar origin</command> means at least the
second-level DNS name. For example, for mail.google.com, the origin would be
google.com. Implementations MAY, at their option, restrict the url bar origin
-to be the entire fully qualified domain name
+to be the entire fully qualified domain name.
</para>
@@ -468,7 +468,7 @@ linkability from fingerprinting browser behavior.
<listitem><command>Long-Term Unlinkability</command>
<para>
-The browser SHOULD provide an obvious, easy way to remove all of their
+The browser SHOULD provide an obvious, easy way to remove all of its
authentication tokens and browser state and obtain a fresh identity.
Additionally, the browser SHOULD clear linkable state by default automatically
upon browser restart, except at user option.
@@ -535,7 +535,7 @@ Therefore, if plugins are to be enabled in private browsing modes, they must
be restricted from running automatically on every page (via click-to-play
placeholders), and/or be sandboxed to restrict the types of system calls they
can execute. If the user decides to craft an exemption to allow a plugin to be
-used, it MUST ONLY apply to the top level url bar domain, and not to all sites,
+used, it MUST only apply to the top level url bar domain, and not to all sites,
to reduce linkability.
</para>
@@ -914,7 +914,7 @@ observer to modify it.
<listitem>DOM Storage
<para><command>Design Goal:</command>
-DOM storage for third party domains MUST BE isolated to the url bar origin,
+DOM storage for third party domains MUST be isolated to the url bar origin,
to prevent linkability between sites.
</para>
@@ -971,14 +971,16 @@ Identity</link>.
To prevent attacks aimed at subverting the Cross-Origin Identifier
Unlinkability <link linkend="privacy">privacy requirement</link>, the browser
-MUST prompt users before following redirects that would cause the user to
-automatically navigate between two different url bar origins.
+MUST prompt the user before following redirects that would cause the user to
+automatically navigate between two different url bar origins. The prompt
+SHOULD inform the user about the ability to use <link
+linkend="new-identity">New Identity</link> to clear the linked identifiers
+created by the redirect.
</para>
<para>
-However, to
-reduce the occurrence of warning fatigue, these warning messages MAY be limited
+To reduce the occurrence of warning fatigue, these warning messages MAY be limited
to automated redirect cycles only. For example, the automated redirect
sequence <command>User Click -> t.co -> bit.ly -> cnn.com</command> can be
assumed to be benign, but the redirect sequence <command>User Click -> t.co ->
@@ -1043,9 +1045,10 @@ appear, setting this preference prevents automatic linkability from stored passw
</listitem>
<listitem>HSTS supercookies
<para>
+
An extreme (but not impossible) attack to mount is the creation of <ulink
-url="https://secure.wikimedia.org/wikipedia/en/wiki/HTTP_Strict_Transport_Security">HSTS</ulink>
-supercookies. Since HSTS effectively stores one bit of information per domain
+url="http://www.leviathansecurity.com/blog/archives/12-The-Double-Edged-Sword-of-HSTS-Persistence-and-Privacy.html">HSTS
+supercookies</ulink>. Since HSTS effectively stores one bit of information per domain
name, an adversary in possession of numerous domains can use them to construct
cookies based on stored HSTS state.
@@ -1053,9 +1056,10 @@ cookies based on stored HSTS state.
<para><command>Design Goal:</command>
There appears to be three options for us: 1. Disable HSTS entirely, and rely
-instead on HTTPS-Everywhere. 2. Restrict the number of HSTS-enabled third
-parties allowed per url bar origin. 3. Prevent third parties from storing HSTS
-rules. We have not yet decided upon the best approach.
+instead on HTTPS-Everywhere to crawl and ship rules for HSTS sites. 2.
+Restrict the number of HSTS-enabled third parties allowed per url bar origin.
+3. Prevent third parties from storing HSTS rules. We have not yet decided upon
+the best approach.
</para>
<para><command>Implementation Status:</command> Currently, HSTS state is
More information about the tor-commits
mailing list