[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Regarding the return of Tor support on the 102.2.0 branch

From: Mark H Weaver
Subject: Re: Regarding the return of Tor support on the 102.2.0 branch
Date: Tue, 13 Sep 2022 00:33:33 -0400

Earlier, I wrote:
> Is this similar in functionality to the "Tor Button" extension that was
> bundled with earlier versions of IceCat?

Sorry, it was actually called the "Onion Browser Button".

> If so, I have concerns about this approach.  I outlined them in the
> following message:

To facilitate restarting this discussion, here's a copy of the relevant
portion of that message:

Long ago, the Tor Browser developers reached the conclusion that having
a simple toggle button was the wrong approach, and I agree.

One problem is that modern web browsers have a large amount of state
which can be used to identify you, and toggling the Tor button does not
clear that state.  When you aren't using Tor, sites can learn the state
of your browser profile and associate that state with your identity.
Later, if you turn Tor on, all of that state is still there to identify
you, even if your network requests are routed through Tor.

I believe that in order to properly preserve your anonymity while web
browsing, at *minimum* each IceCat _profile_ should either be used
exclusively with Tor, or exclusively without Tor.  In other words, you
should create dedicated profiles for use with Tor; when creating a new
profile, you should either configure it to use Tor, or not, and you
should *never* toggle a given profile between Tor-enabled and
Tor-disabled.  This requirement is violated by a Tor toggle button,
whose sole purpose is to make it convenient to do the very thing that
you should never do.

Another more difficult problem is that browsers can be fingerprinted in
various ways to determine their specific feature set and configuration.
IceCat has a distinctive set of features disabled, and a distinctive
configuration to better protect your privacy, but ironically these
improvements can likely be used by an adversary to determine that you
are an IceCat user, even if you are using Tor.  Since there are
relatively few IceCat users, this dramatically narrows down the set of
people that you might be, thereby reducing your anonymity.

I think we should acknowledge that providing proper anonymity in IceCat
will require more work, and that work has not yet been done.  Therefore,
I think we should remove Tor support from IceCat for now, and start a
discussion of what the requirements are and how best to meet them.

To begin, I recommend that participants of this discussion should read
"The Design and Implementation of the Tor Browser", here:

I can think of a few approaches we might take.  The easiest approach
would be to give up on having the same browser support Tor and non-Tor
usage, as the Tor developers did.  IceCat, based on Firefox ESR, could
be our non-Tor browser, and then we could start another project, based
on Tor Browser, for use with Tor.

Another approach would be to provide an easy UI for enabling Tor when
creating a new profile, and to teach users best practices for doing
this.  This approach would involve cherry-picking patches from Tor
Browser, and possibly arranging for some of those patches to take effect
only in profiles where Tor is enabled.  It would likely also involve
using a different default configuration for Tor-enabled profiles, to
more closely match Tor Browser's configuration, to make it harder to
distinguish IceCat users from Tor Browser users.

Yet another idea would be to arrange for "Private Windows" to use Tor,
and to convince ourselves (or not) that the remotely-detectable state of
Private Windows are sufficiently isolated from the state of normal

I welcome other opinions.


Disinformation flourishes because many people care deeply about injustice
but very few check the facts.  Ask me about <>.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]