Tor Browser issueshttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues2024-03-09T17:31:09Zhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/17569Add uBlock Origin to the Tor Browser2024-03-09T17:31:09ZJesse VictorsAdd uBlock Origin to the Tor BrowserI suggest that we add Ublock Origin to the Tor Browser. Ublock Origin has the following advantages:
1. FOSS under GPL3. See https://github.com/gorhill/uBlock
2. It is actively maintained and very popular.
3. It's designed to be efficient...I suggest that we add Ublock Origin to the Tor Browser. Ublock Origin has the following advantages:
1. FOSS under GPL3. See https://github.com/gorhill/uBlock
2. It is actively maintained and very popular.
3. It's designed to be efficient on CPU and memory. See https://github.com/gorhill/uBlock#performance
From https://github.com/gorhill/uBlock#philosophy:
> uBlock Origin is not an ad blocker; it's a general-purpose blocker. Furthermore, advanced mode allows uBlockâ‚€ to work in default-deny mode, which mode will cause all 3rd-party network requests to be blocked by default, unless allowed by the user.
Its behavior is governed through filter lists, which are maintained by Adblock Plus, Disconnect, the community, or other sources. Users can control which lists are downloaded and most are fetched through HTTPS.
I have read through https://www.torproject.org/projects/torbrowser/design/#philosophy, but this was written several years ago and I believe that the landscape has changed and that it's time to revisit those assumptions. Arguments include:
1. Default denial of cross-site (3rd party) requests, unless allowed by the users. This eliminates CSRFs and prevents contact with ad networks and trackers in the first place. This supplements browser security by prevent ad networks from tracking users across a browser session.
2. If all users use Ublock Origin, then everyone has the same fingerprint.
3. Adblockers are now relatively common by tech-savvy users, to the point where they now consider webpages to be broken if ads get in their way. The existence of ads may drive a user to install an insecure adblocker or to use their native non-Tor browser.
4. Ublock Origin would save significant bandwidth, reducing the load on the Tor network and increasing the responsiveness of webpages in the Tor Browser.
<n8fr8> might be good to revisit these assumptions, but make sure to read on in the design document to get the full understanding
<helix> I wonder how many people install adblockers anyway. I have like 4 extra extensions for ad/tracking blocking
<n8fr8> true that
<helix> my memory was fuzzy but I recall there also being some concern that blocking ads might increase sites' contempt towards tor users, but this was like 2011-2012 and the situation was quite different
<nickm> It seems like it follows some kind of design antipattern to me; "Assuming that we deliver security with X, Y adds no additional security. Therefore, not Y." then again, I am not a TB person and do not want to step on their toes here
<n8fr8> the world has changed wrt to ad blockers being seen as anti-social... Apple now supports them after all.
<kernelcorn> helix: so many non-Tor users use adblockers that I doubt that Tor users would make a significant impact
<helix> kernelcorn: I agree now - I'm saying that the timeframe in which that decision was made had a different landscape
<helix> I think it's probably worth revisiting the topic to see if it's still true
Ticket legacy/trac#10914 is related.richardrichard2023-11-15https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/17509Write a patch for additional -ldl needed when compiling Tor Browser with ASan...2023-01-05T16:58:29ZGeorg KoppenWrite a patch for additional -ldl needed when compiling Tor Browser with ASan and GCC 5This is a reminder to investigate and write a patch for https://bugzilla.mozilla.org/show_bug.cgi?id=1213698.This is a reminder to investigate and write a patch for https://bugzilla.mozilla.org/show_bug.cgi?id=1213698.Sponsor 131 - Phase 5 - Ongoing Maintenancehttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/17216Make Tor Browser's updater work over Hidden Services2022-11-30T16:46:33ZIsis LovecruftMake Tor Browser's updater work over Hidden ServicesThis would provide additional cover traffic for other HSes. Another proposal from the (second) HS guard discovery protections meeting at the 2015 Berlin Tor developer meeting was to only have clients check for new Tor Browser updates via...This would provide additional cover traffic for other HSes. Another proposal from the (second) HS guard discovery protections meeting at the 2015 Berlin Tor developer meeting was to only have clients check for new Tor Browser updates via some HS(es), and then do the actual download of the update over the regular non-HS mirrors.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/16819Separation of Tor Daemon + SELinux integration within (TBB)2022-11-29T13:49:34ZcypherpunksSeparation of Tor Daemon + SELinux integration within (TBB)SELinux profiles for isolating the browser and the tor daemon of TBB is an important security feature that should be in place.SELinux profiles for isolating the browser and the tor daemon of TBB is an important security feature that should be in place.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/15825webgl.disable-extensions true about:config setting may allow DoS and breaks w...2023-11-04T01:15:51Zcypherpunkswebgl.disable-extensions true about:config setting may allow DoS and breaks websitesReference legacy/trac#3323 and legacy/trac#6370 ...
"The conclusion is that if we set webgl.min_capability_mode and webgl.disable-extensions, our primary API-level fingerprinting concerns are addressed."
However, I am concerned because...Reference legacy/trac#3323 and legacy/trac#6370 ...
"The conclusion is that if we set webgl.min_capability_mode and webgl.disable-extensions, our primary API-level fingerprinting concerns are addressed."
However, I am concerned because this presumably disables security extensions such as GL_ARB_robustness too, making it easier for malicious content to cause crashes on the user's computer (some of which can lead to things such as remote code execution).https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/13747Make sure tor browser handles mixed content in .onions correctly2023-01-05T16:56:03ZWilliam BudingtonMake sure tor browser handles mixed content in .onions correctlyThe .onion URL for a given THS instance is a fingerprint of the public key, thus ensuring authenticity of the service. For this reason, some assume the same security assurances for .onion addresses as they would for https, with the adde...The .onion URL for a given THS instance is a fingerprint of the public key, thus ensuring authenticity of the service. For this reason, some assume the same security assurances for .onion addresses as they would for https, with the added assurances that hidden services provide. For instance, the major browsers have chosen to not load http resources when accessing an https site, blocking mixed content. However, there is no protection against mixed content being loaded in the TBB for .onion addresses when they include resources from http URLs. For any .onion URL which includes http resources, an attacker controlling an exit node could perform a Man in the Middle attack, providing malicious javascript which modifies the content of the DOM.
One would hope that an http THS would never include remote resources from an http site if they would like to protect their users. In fact, one would hope that a THS would never load any resources at all from a source they do not control. But this is no guarantee that they won't. It seems like a good security measure to disallow http resources from being loaded in TBB.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41235Rate limit gyroscope sampling frequency on FF mobile2022-11-30T14:52:17ZMike PerryRate limit gyroscope sampling frequency on FF mobileBy the time we get around to an official mobile port, we should double-check that Mozilla has reduced the sampling rate of the gyroscope on Android:
http://crypto.stanford.edu/gyrophone/files/gyromic.pdfBy the time we get around to an official mobile port, we should double-check that Mozilla has reduced the sampling rate of the gyroscope on Android:
http://crypto.stanford.edu/gyrophone/files/gyromic.pdfhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/5791Gather apparmor/selinux/seatbelt profiles for each component of TBB2022-11-30T16:20:35ZRoger DingledineGather apparmor/selinux/seatbelt profiles for each component of TBBIt's increasingly clear that shipping TBB without any "system call permissions" wrappers is an arms race that is too easy to lose. Bug 5741 is the latest of what will continue to be many instances.
The Tor wiki has a variety of instruc...It's increasingly clear that shipping TBB without any "system call permissions" wrappers is an arms race that is too easy to lose. Bug 5741 is the latest of what will continue to be many instances.
The Tor wiki has a variety of instructions on putting your TBB in a VM, or running it wrapped by apparmor, or somebody saying the word SELinux, etc.
We should gather all these instructions together, and start vetting them with the goal of integrating as many as we can into the main build processes, and providing the rest as "for experts, you can be even safer if".
We need a volunteer with good security taste to get this started. I could easily see this project being a bounty too.