Delivery-Date: Mon, 03 Nov 2014 18:05:42 -0500
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 0C5E21E0CE9;
	Mon,  3 Nov 2014 18:05:41 -0500 (EST)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id CAA1330EDF;
	Mon,  3 Nov 2014 23:05:36 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id D01B830D30
 for <tor-talk@lists.torproject.org>; Mon,  3 Nov 2014 23:05:32 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id R54PtkrCnu4w for <tor-talk@lists.torproject.org>;
 Mon,  3 Nov 2014 23:05:32 +0000 (UTC)
Received: from turtles.fscked.org (turtles.fscked.org [76.73.17.194])
 by eugeni.torproject.org (Postfix) with ESMTP id 9BB5F28495
 for <tor-talk@lists.torproject.org>; Mon,  3 Nov 2014 23:05:32 +0000 (UTC)
Date: Mon, 3 Nov 2014 15:05:22 -0800
From: Mike Perry <mikeperry@torproject.org>
To: tor-talk@lists.torproject.org
Message-ID: <20141103230522.GJ21428@torproject.org>
References: <CADw1SfEvdtayywkz3jo3gnFtDRqdwwtcV2+iRuBej4tH8h6Rqw@mail.gmail.com>
MIME-Version: 1.0
In-Reply-To: <CADw1SfEvdtayywkz3jo3gnFtDRqdwwtcV2+iRuBej4tH8h6Rqw@mail.gmail.com>
Subject: Re: [tor-talk] Krypton Anonymous: A Chromium Tor Browser
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============8396574691452750148=="
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>


--===============8396574691452750148==
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="I/5syFLg1Ed7r+1G"
Content-Disposition: inline


--I/5syFLg1Ed7r+1G
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Cyrus Katrak:
> https://github.com/kr36/seaturtle
>=20
> At a high level:
> - Process per tab security model, with each tab owning it's own in-memory
> state (cache, cookies, local storage, hsts db etc...).

We've been going for URL bar domain isolation in Tor Browser to avoid
divergence with how users expect the browser to behave:
https://www.torproject.org/projects/torbrowser/design/#philosophy
https://www.torproject.org/projects/torbrowser/design/#identifier-linkabili=
ty

Even still, per-tab isolation is a common request, so it's easy to
assume that this is what most people really want. But I think if you
think through how it will work in practice, it becomes fairly clear it's
actually a very bad property for usability.

The easiest way to see how per-tab isolation will cause confusion is to
imagine the twitter use case. In a normal twitter user flow, the user
logs in to twitter, opens some lists and conversations (often in new
tabs), perhaps opens tweetdeck in a new tab, follows links from people
in their feed, and sends and receives twitter conversation links from
their friends over DM, chat, IRC, and email.=20

If each these actions happens in a new, isolated tab, the user will be
forced to log in repeatedly to twitter, and worse, forget which tabs
they logged in to twitter on, especially once they start following links
(both on and off site) from people's feeds.

Is Tor Browser-style url bar domain isolation also possible to achieve
with simple configuration, or did you just go per-tab because the
Chromium plumbing was already set up to make per-tab isolation easy?

I see a cookie policy file that appears to block third party cookies,
but I don't see the per-tab isolation mechanism in the source.

> - Efficiently integrated HTTPS Everywhere rules.
> - Addresses some fingerprint-ability issues: Disabled geolocation, webgl,
> accelerated <canvas>, static user agent, etc.

Are these also simple prefs?

> - Single tap to start a bundled Tor binary, and properly configure the
> browsers proxy settings. Gave a fair amount of thought to UX and polish.

Do you interact with the Tor Control port at all here? Or do you just
re-write the torrc? Where is your tor handling located in the code?

> It's still early days, only builds for Android at the moment. Nobody has
> seriously reviewed the code or black box tested. Lots of fingerprint
> mitigation work still remains. Hoping to get feedback and suggestions for
> improvement, and help.

It looks like you've seen the Tor Browser design doc and the important
Chrome Bugs links, but I'd like to point these sections out again as
they have recently been updated:
https://trac.torproject.org/projects/tor/wiki/doc/ImportantGoogleChromeBugs=
#ProxyBypassBugs
and
https://www.torproject.org/projects/torbrowser/design/#fingerprinting-linka=
bility

In particular, that fingerprinting section was just updated this past
weekend.

I also have an OpenWRT configuration I can give you to monitor for proxy
leaks on an upstream router, but you need to be able to configure Tor
Bridges to make use of it.

--=20
Mike Perry

--I/5syFLg1Ed7r+1G
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJUWAoyAAoJEEEC+JXS8eGGqxwQAJ9mMM41PU2nvEgaLr7nyBcI
ybhknGbR1Q3wQAjqJmK0GKhz4dAHtX5XxC4gbDj8VUshfvUGXjkL5wFjT4eg5NZe
f8PZuVl1mAm0U9GWHUSvDv3a1sPp+xpwwGn9X6mg7b824zL7qMjikX5HIk34IM+c
TXqO8fsUJempz1Qzmss54y/DRUK5Lgfag1HP4kEJ6rGTeGLS/12/7ASPZf1ecyXp
MQpbzBE86i4p9huexTgq2AvVQvvkKZ+udt/eizsMY2L+MIratFpYuWjUVgtX8IcP
Bz8EMJ1z7J8Med3+14iwYif83kVPTty5G8Sn7ZGfUA2H3M7NeIJSzdeJjW36qke3
1WlyOtDqYccEZ0v5FwBYKVMkkwcN8Jtsjo2tMNeXk9Kb/4i3bDGs0WPIHMBM0bsD
2Bj7wyO/7l3h34WrBnVvtQfIZAbDrjMBTyem0Z11jO8OkSmP8VBYjPlog2ue4URL
GZYgREBISeSOdcwiEMaYB/xHnu9OklrVyKq2B0qIJRr6PwKQFx54aoC/Jfjpc5RQ
bbKt3wb6cjHKApWdGSlTEmNiNIGdbwTjFMJAtQlUUd04IL5XexePEt1EQbtfYT68
jpHQbs4hh6GCtzoYh5k4PlbT2RZxxqyv7FvXeAfVUjdKWnQd+mli0hBebQ5/Fva5
RzcosXu65RByHdk3W9zx
=Z5UE
-----END PGP SIGNATURE-----

--I/5syFLg1Ed7r+1G--

--===============8396574691452750148==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

--===============8396574691452750148==--

