[tor-talk] Krypton Anonymous: A Chromium Tor Browser

Mike Perry mikeperry at torproject.org
Mon Nov 3 23:05:22 UTC 2014


Cyrus Katrak:
> https://github.com/kr36/seaturtle
> 
> At a high level:
> - Process per tab security model, with each tab owning it's own in-memory
> state (cache, cookies, local storage, hsts db etc...).

We've been going for URL bar domain isolation in Tor Browser to avoid
divergence with how users expect the browser to behave:
https://www.torproject.org/projects/torbrowser/design/#philosophy
https://www.torproject.org/projects/torbrowser/design/#identifier-linkability

Even still, per-tab isolation is a common request, so it's easy to
assume that this is what most people really want. But I think if you
think through how it will work in practice, it becomes fairly clear it's
actually a very bad property for usability.

The easiest way to see how per-tab isolation will cause confusion is to
imagine the twitter use case. In a normal twitter user flow, the user
logs in to twitter, opens some lists and conversations (often in new
tabs), perhaps opens tweetdeck in a new tab, follows links from people
in their feed, and sends and receives twitter conversation links from
their friends over DM, chat, IRC, and email. 

If each these actions happens in a new, isolated tab, the user will be
forced to log in repeatedly to twitter, and worse, forget which tabs
they logged in to twitter on, especially once they start following links
(both on and off site) from people's feeds.

Is Tor Browser-style url bar domain isolation also possible to achieve
with simple configuration, or did you just go per-tab because the
Chromium plumbing was already set up to make per-tab isolation easy?

I see a cookie policy file that appears to block third party cookies,
but I don't see the per-tab isolation mechanism in the source.

> - Efficiently integrated HTTPS Everywhere rules.
> - Addresses some fingerprint-ability issues: Disabled geolocation, webgl,
> accelerated <canvas>, static user agent, etc.

Are these also simple prefs?

> - Single tap to start a bundled Tor binary, and properly configure the
> browsers proxy settings. Gave a fair amount of thought to UX and polish.

Do you interact with the Tor Control port at all here? Or do you just
re-write the torrc? Where is your tor handling located in the code?

> It's still early days, only builds for Android at the moment. Nobody has
> seriously reviewed the code or black box tested. Lots of fingerprint
> mitigation work still remains. Hoping to get feedback and suggestions for
> improvement, and help.

It looks like you've seen the Tor Browser design doc and the important
Chrome Bugs links, but I'd like to point these sections out again as
they have recently been updated:
https://trac.torproject.org/projects/tor/wiki/doc/ImportantGoogleChromeBugs#ProxyBypassBugs
and
https://www.torproject.org/projects/torbrowser/design/#fingerprinting-linkability

In particular, that fingerprinting section was just updated this past
weekend.

I also have an OpenWRT configuration I can give you to monitor for proxy
leaks on an upstream router, but you need to be able to configure Tor
Bridges to make use of it.

-- 
Mike Perry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20141103/fb0554f1/attachment.sig>


More information about the tor-talk mailing list