Re: bug#41848: Surfing with Tor

[Mark H Weaver]

Earlier, I wrote:

> I'm currently building a version of IceCat 68.9 with the above commit
> reverted, to see if the bug also exists in version 0.1.7 of the Onion
> Browser Button.

The same problem happens for me with version 0.1.7 of the Onion Browser
Button in the IceCat 68.9 preview.  I guess that this add-on does not
work reliably (if at all) with Firefox ESR 68.x or its derivatives.
Maybe it works better with Firefox 77.

Unless someone has a better suggestion, I'm inclined to simply *remove*
Onion Browser Button from the IceCat 68 preview.

Long ago, the Tor Browser developers reached the conclusion that having
a simple toggle button was the wrong approach, and I agree.

  https://blog.torproject.org/toggle-or-not-toggle-end-torbutton

One problem is that modern web browsers have a large amount of state
which can be used to identify you, and toggling the Tor button does not
clear that state.  When you aren't using Tor, sites can learn the state
of your browser profile and associate that state with your identity.
Later, if you turn Tor on, all of that state is still there to identify
you, even if your network requests are routed through Tor.

I believe that in order to properly preserve your anonymity while web
browsing, at *minimum* each IceCat _profile_ should either be used
exclusively with Tor, or exclusively without Tor.  In other words, you
should create dedicated profiles for use with Tor; when creating a new
profile, you should either configure it to use Tor, or not, and you
should *never* toggle a given profile between Tor-enabled and
Tor-disabled.  This requirement is violated by a Tor toggle button,
whose sole purpose is to make it convenient to do the very thing that
you should never do.

Another more difficult problem is that browsers can be fingerprinted in
various ways to determine their specific feature set and configuration.
IceCat has a distinctive set of features disabled, and a distinctive
configuration to better protect your privacy, but ironically these
improvements can likely be used by an adversary to determine that you
are an IceCat user, even if you are using Tor.  Since there are
relatively few IceCat users, this dramatically narrows down the set of
people that you might be, thereby reducing your anonymity.

I think we should acknowledge that providing proper anonymity in IceCat
will require more work, and that work has not yet been done.  Therefore,
I think we should remove Tor support from IceCat for now, and start a
discussion of what the requirements are and how best to meet them.

To begin, I recommend that participants of this discussion should read
"The Design and Implementation of the Tor Browser", here:

  https://2019.www.torproject.org/projects/torbrowser/design/

I can think of a few approaches we might take.  The easiest approach
would be to give up on having the same browser support Tor and non-Tor
usage, as the Tor developers did.  IceCat, based on Firefox ESR, could
be our non-Tor browser, and then we could start another project, based
on Tor Browser, for use with Tor.

Another approach would be to provide an easy UI for enabling Tor when
creating a new profile, and to teach users best practices for doing
this.  This approach would involve cherry-picking patches from Tor
Browser, and possibly arranging for some of those patches to take effect
only in profiles where Tor is enabled.  It would likely also involve
using a different default configuration for Tor-enabled profiles, to
more closely match Tor Browser's configuration, to make it harder to
distinguish IceCat users from Tor Browser users.

Yet another idea would be to arrange for "Private Windows" to use Tor,
and to convince ourselves (or not) that the remotely-detectable state of
Private Windows are sufficiently isolated from the state of normal
windows.

I welcome other opinions.

    Regards,
      Mark