Important Google Chrome Bugs
It would be great if the Tor Project could create a Chrome extension to upgrade Google Chrome's Incognito Mode into a full privacy mode that protects against all network adversaries, giving Chrome users real privacy-by-design if and when they want it.
Ideally, we'd like some help in the form of several improvements to Incognito Mode to reduce linkability while using the mode.
However, we still have a few important issues to tackle before even low-grade privacy-by-design can be provided through Tor in Incognito mode. This page exists to track those issues by referencing relevant items in the Chromium bug tracker.
The following groups of bugs are ordered from most important to least.
Proxy Bypass Bugs
First and foremost, there are a few bugs that allow direct bypass of the Incognito mode proxy settings. Without fixes for these bugs, there is little point in attempting a Tor extension at all, since the user's real IP can be revealed in typical use cases, even without any actual exploit attempt.
- All certificate validation fetches (AIA, OCSP, CRL) should use Chrome's proxy settings - workaround: Since online checks for SoftFail certificate revocation do not provide an effective security effect, they are disabled by default starting with Google Chrome version 19. If the policy is not configured or set to false, Google Chrome will no longer perform online checks for certificate revocation as of Google Chrome version 19.
- dns prefetching leaks dns queries when using a proxy - workaround: disable DNS prefetching
- Flash and other plugins should be forced through the browser's proxy - workaround: disable flash (also alludes to "many" non-plugin cases where Chrome can bypass proxy settings)
FTP not working behind (HTTP) Proxy - workaround: use WebRequest to block FTP
- This bug was fixed, but appears to only add HTTP proxy support? We need SOCKS.
- WebRTC PeerConnection can use UDP and non-proxied TCP Sockets - workaround: disable via chrome://flags/ TODO: please link specific option to disable
- SPDY v3 can use UDP as a transport (via QUIC) - workaround: disable QUIC via chrome://flags/#enable-quic.
In addition, the following behaviors still need to be investigated:
- Can we block drag and drop events? On most desktops, the OS actually pre-loads the URL associated with a drag event as soon as you start dragging an object, even if you don't drop it on the desktop.
- Do WebSockets behave correctly? On Firefox, they leaked DNS.
- Do the NTLM and SPNEGO HTTP authentication methods bypass the proxy? OS libraries used for those, too.
Browser State Leak Bugs
After issues that allow direct proxy bypass, there are still a number of ways that browser state can cross between Incognito mode and regular browsing. These bugs are a huge concern for us, as they can allow tracking of the user between normal and Torified Incognito modes. There are also even some ways that Incognito browsing activity can be written to disk as a result of these bugs.
- Maintain separate TLS session caches per-profile - fixed in december 2011 (wild guess: 18.0.970.1), workaround: none?
- XXX: SPDY state and connection reuse, HTTP keepalive connection reuse, and HSTS state? Probably all shared...
- XXX: The CryptoAPI dependency on Windows probably means most or all TLS state is shared, including TLS session resumption and session tickets, the user cert store, intermediate TLS certificate cache, and OCSP cache..
Third Party Identifiers
In Tor Browser, we prevent third parties from tracking you across top-level domains by "double-keying" identifier sources to the url bar domain and the third party. It sure would be nice if the third party cookie option in Chrome did this, too. Here's the list of related issues:
- XXX: Bug number? The Third Party Cookie pref should also "double-key" or disable DOM storage, cache, HTTP Auth and HSTS for third parties. In Tor Browser, we double-key most of this stuff rather than disable it, to minimize breakage.
- XXX: Bug Number? window.name should not persist across domains
- XXX: Bug Number? SSL Session ids and TLS session tickets should be disabled for third parties.
- XXX: Bug Number? SPDY can store session IDs and other state, and has insane keep-alive properties. SPDY state should be similarly jailed to URL bar domain, and third party requests and state should not cross url bar barriers.
- XXX: needs bug HTML5 Canvas should be permission-based for reading image data (rendering to it is fine, only extraction is an issue). There is a Chrome addon for this, but it is prone to races due to async script injection. We need a real solution.
- XXX: needs bug The GamePad API allows USB device IDs for any controller-like devices to be enumerated by JS.
- XXX: needs bug CSS Media Queries allow screen info and even user-selected system theme colors and other user-configured UI information to be extracted by CSS (even without JS). Spoof/disable for Incognito Mode.
- XXX: needs bug WebGL should not expose OpenGL/DirectX extension and device capabilities (aka should run in "W3C minimal mode") in Incognito Mode
- XXX: needs bug NTLM and SPNEGO Auth should not send machine hostname or username in Incognito Mode.
- XXX: needs bug The desktop and taskbar resolution should not be available to CSS or JS -- provide content window size only.
- XXX: needs bug Addons should be able to install a font pack for exclusive use in Incognito Mode.
- XXX: needs bug Disable high-resolution DOM and network performance timers in Incognito Mode
Those are the major issues. You can see the full list of fingerprinting issues in Firefox in our bug tracker, past and present.
Note that webkit has a set of tools to control fingerprinting that Chrome could use.
Blue-sky API wishlist
The plugin sandboxing support can potentially allow us to write a more restricted sandbox that we deem will allow Flash and other plugins to be safe enough to use in the mode. There is no bug for it yet, but it would build on this one: https://code.google.com/p/chromium/issues/detail?id=50796