Hey everyone,
As I mentioned in the "Isolating sites from one another and dealing with
multiple online identities" thread[1], the Tor Browser team is currently
trying to decide how to best prepare our patches to support a Tor Mode
in normal Firefox while still supporting our Tor Browser userbase in the
meantime, and without overwhelming engineering effort on our side.
On our own mailinglist, we're discussing how we think our privacy
options should be presented[2,3]. While the upstream Firefox UI/UX
aspects of a Tor mode feature may be premature to specify in a
fine-grained manner at this time, we do feel it is important to have our
target operation mode specified at least to the degree where we can
decide if it should be based on a pref, or channel attribute, or
AppId/Container isolation, so we can decide what governs when our
tracking prevention properties are enabled.
The benefit of having a pref or a few prefs is that implementation is
simple, and easy to deploy for Tor Browser. This is the approach we've
taken to date, and this approach is also consistent with the recent UI/UX
discussion that I linked to on our mailinglist.
The downside of the pref approach is that for stock Firefox, it will be
difficult to provide users with a concurrent Tor Mode window that
supports Tor in a way that is consistent with our notions of tracking
prevention. Basically, a pref-based approach means that users will have
to enable Tor mode independent of their tracking prevention choices, and
that their tracking prevention choices will need to apply to both
Tor-enabled windows and non-Tor windows, which may be undesirable for
many users.
The preference approach really starts to show its limitations when you
consider that for Tor windows, the user will want prefs like
'media.peerconnection.enabled' turned off to prevent proxy bypass. This
means that WebRTC calls will then fail for non-Tor windows, or the user
will be exposed to deanonymization in Tor Mode windows[4].
Does anyone on the Mozilla side have any strong opinions about this? The
recent isolation thread made me wonder if there are other new isolation
mechanisms that we should be leveraging too, or if we should be more
actively involved in future isolation and identity management
discussions.
1.
https://groups.google.com/d/msg/mozilla.dev.privacy/XQza_CmYDr4/7hemg2vtyUYJ
2.
https://lists.torproject.org/pipermail/tbb-dev/2015-January/000217.html
3.
https://lists.torproject.org/pipermail/tbb-dev/2015-January/000219.html
4.
https://diafygi.github.io/webrtc-ips/
--
Mike Perry