browser Privacy Test: Testing other browsers by specific privacy test make privacy across browser objective Every browser claims it's "good" about privacy, how do users compare them? browserprivacy.net -> browserprivacy.net/tests.html
- Three categories of tests: - tor connectivity - cookies (super cookies) - Fingerprinting - This is very technical, provide a higher-level activist focused matrix - Currently run manually, running nightly build tests would be better - Can panopticlick use or benefit from this? - Feedback to OpenWPM?
Brave has a Private Tab that uses Tor
- Began 1 year ago - Added "Private Tab with Tor" - Reduce fingerprinting - Disable leaky features (webrtc, etc) - Starts Tor when the first Private Tab with Tor is created - This tab tries to match most users expectations of a Private Tab - Make anonymous micropayments more profitable than website ads - In the future, add PT support - Possibly separate Tor support from Private Tabs (maybe use Tor support in normal tabs, too)
Cliqz: - Uses Firefox - Adds "Forget Mode", rather than Private Mode - Adds automatic Forget Mode if it decides a website should be opened in a forget mode - In the future, move services to onion services - Currently internal testing of beta version - Cliqz uses Firefox release rather than ESR (opens possible proxy-bypass) - Testing for proxy-bypass manually - Future PT support
When Tor Project are contacted about Tor support: "Tor" means many different things
Browser, network, program, etc Tor Browser is more than a browser that routes traffic over the Tor network Fingerprinting protections, privacy protections, etc If another browser integrates Tor, calling it "Tor Mode" would be misleading "Onion mode" or "Private Tabs with Tor" are options What features must a browser support before the Tor Project is comfortable with another browser having a "Tor Mode"? We should use the Browser Privacy Tests - It's a starting point
EFF have a lot of history of browser fingerprinting from panopticlick Maybe panopticlick compares the browser against Tor Browser
Users can be fingerprinted by the version of their browser (UAS, available features, configurations, etc)
How can The Tor Project help the other browsers?
Automated tests, and check-list is very helpful for knowing what is needed/expected What is changing between Tor Browser and FF Release/Nightly? What should be communicated to the user about the Tor mode?
Onion UI should be similar/standardized across browsers
Brave fails hard .onion address resolution Cliqz uses the blockdotonion pref
Looking at browserleaks.com, too
Better explanation why someone should choose a browser with tor support vs. tor browser
Better explanation why Tor is different/better/worse than a VPN Better documentation around this - FAQ? Training?