Designing a browser for privacy
The Tor Browser is designed to allow users to surf the web and enjoy a Private Browsing Mode that defends against both network and local forensic adversaries.
There are two main categories of requirements in the Tor Browser design:
- Security Requirements,
- and Privacy Requirements.
Security Requirements are the minimum properties in order for a browser to be able to support Tor and similar privacy proxies safely. Privacy requirements are primarily concerned with reducing the possibility that a user's activity on one site can be linked with their activity on another site without their knowledge or explicit consent .
Tor Browser is also designed with a number of philosophical positions about web technology. These are:
Preserve the existing way that the user expects to use a browser.
Restrict plugins since the activities of closed-source plugins are very difficult to audit and control.
Minimize Global Privacy Options, since each option that detectably alters browser behavior can be used as a fingerprinting tool. For the same reasons all extensions should be disabled in the mode except as an opt-in basis.
Avoid the use site-specific or filter-based addons such as AdBlock Plus, Request Policy, Ghostery, Priv3, and Sharemenot.
Stay Current with the support of new web technologies.
The Tor Browser is based on Mozilla's Extended Support Release - ESR - Firefox branch
A Tor browser adversary will has a set of goals, capabilities, and attack types. These are listed considering the design requirements have been enumerated above.
Compromising and bypassing of Tor, causing the user to directly connect to an IP of the adversary's choosing.
Being able to query a user's history to see if they have issued certain censored search queries, or visited censored sites.
Correlate activity across multiple sites
Fingerprinting/anonymity set reduction
History records and other on-disk information
Capabilities - Positioning
The adversary can position themselves at a number of different locations:
The adversary can run exit nodes or control routers upstream of exit nodes.
The adversary can run websites or adcquire ad space from a number of different ad servers and inject content that way.
The adversary can also inject malicious content at the user's upstream router when they have Tor disabled, in an attempt to correlate their Tor and Non-Tor activity. At this position the adversary might try to block Tor or recognize Tor activity via fingerprinting of the traffic generated by secific sites or services.
Some users face adversaries with physical access to their devices. Users in Internet cafes, for example, face such a threat.
Capabilities - Attacks
The adversaty can finally implement a number of attacks.
Read and insert identifiers for the purposes of tracking users. These identifiers are most obviously cookies, but also include HTTP auth, DOM storage, cached scripts and other elements with embedded identifiers, client certificates, and even TLS Session IDs.
Fingerprint users based on browser attributes. These include:
- User agent, Accept-* headers, pipeline usage, and request ordering.
- The use of custom filters such as AdBlock and other privacy filters
- To capture DOM objects information such as window.screen and window.navigator to extract information about the user agent.
- To query the user's timezone via the Date() object
- To find hardware specific information
- To find network specific information
- Inserting Plugins
- Inserting CSS
Recognize the encrypted traffic patterns of specific websites.
Exploit either general browser vulnerabilities, plugin vulnerabilities, or OS vulnerabilities to install malware and surveillance software.