from the What-does-the-fox-say? dept.
Several major tech firms are in talks with Tor to include the software in products that can potentially reach over 500 million Internet users around the world. One particular firm wants to include Tor as a “private browsing mode” in a mainstream Web browser, allowing users to easily toggle connectivity to the Tor anonymity network on and off.
“They very much like Tor Browser and would like to ship it to their customer base,” Tor executive director Andrew Lewman wrote, explaining the discussions but declining to name the specific company. “Their product is 10-20 percent of the global market, this is of roughly 2.8 billion global Internet users.”
The author elaborates:
The product that best fits Lewman’s description by our estimation is Mozilla Firefox, the third-most popular Web browser online today and home to, you guessed it, 10 to 20 percent of global Internet users.
The story appears to have gleaned most of its information from a tor-dev mailing list post. An interesting reply from Tor developer Mike Perry explains how Tor can be modified so that the network can handle the extra load.
"Apparently these researchers were paid by the FBI to attack hidden services users in a broad sweep, and then sift through their data to find people whom they could accuse of crimes," Dingledine writes. "Such action is a violation of our trust and basic guidelines for ethical research. We strongly support independent research on our software and network, but this attack crosses the crucial line between research and endangering innocent users."
Tor's statement all but confirms that Carnegie Mellon's attack was used in the late 2014 law enforcement operation known as Operation Onymous, carried out by the FBI and Europol. That dark web purge took down dozens of Tor hidden services, including several of the most popular Tor-based black markets for drugs including the Silk Road 2, and led to at least 17 arrests. Tor, for its part, has made efforts to subsequently block the attack, which it says it first detected in July of 2014.
When WIRED contacted Carnegie Mellon, it didn't deny the Tor Project's accusations, but pointed to a lack of evidence. "I'd like to see the substantiation for their claim," said Ed Desautels, a staffer in the public relations department of the university's Software Engineering Institute. "I'm not aware of any payment," he added, declining to comment further.
Tor's Dingledine responded to that call for evidence by telling WIRED that it identified Carnegie Mellon as the origin of the attack by pinpointing servers running on Tor's network that were used in the de-anonymization technique. When it asked Carnegie Mellon if the servers were being run by its researchers—a suspicion based on the canceled Black Hat conference presentation—the anomalous servers disappeared from the network and the university offered no response. The $1 million payment, Dingledine says, was revealed to Tor by "friends in the security community."
July 26, 2014: Russia Offers $111,000 to Break TOR Anonymity Network
September 30, 2014: Tor Executive Hints at Firefox Integration
November 8, 2014: Huge Raid to Shut Down 400-plus DarkNet Sites
November 10, 2014: Tor Project Mulls How Feds Took Down Hidden Websites
November 17, 2014: Is Tor a Honeypot?
December 22, 2014: Servers Seized After Tor Developers Warn of Potential Government Attempt To Take Down Network
If you've used Tor, you've probably used Tor Browser, and if you've used Tor Browser you've used Firefox. By lines of code, Tor Browser is mostly Firefox -- there are some modifications and some additions, but around 95% of the code in Tor Browser comes from Firefox. The Firefox and Tor Browser teams have collaborated for a long time, but in 2016, we started to take it to the next level, bringing Firefox and Tor Browser closer together than ever before. With closer collaboration, we're enabling the Tor Browser team to do their jobs more easily, adding more privacy options for Firefox users, and making both browsers more secure.
[...] In 2016, we started an effort to take the Tor Browser patches and "uplift" them to Firefox. When a patch gets uplifted, we take the change that Tor Browser needs and we add it to Firefox in such a way that it's disabled by default, but can be enabled by changing a preference value. That saves the Tor Browser team work, since they can just change preferences instead of updating patches. And it gives the Firefox team a way to experiment with the advanced privacy features that Tor Browser team is building, to see if we can bring them to a much wider audience.
Our first major target in the uplift project was a feature called First Party Isolation, which provides a very strong anti-tracking protection (at the risk of breaking some websites). Mozilla formed a dedicated team to take the First Party Isolation features in Tor Browser and implement them in Firefox, using the same technology we used to build the containers feature. The team also developed thorough test and QA processes to make sure that the isolation in Firefox is as strong as what's in Tor Browser -- and even identified some ways to add even stronger protections. The Mozilla team worked closely with the Tor Browser team, including weekly calls and an in-person meeting in September.
First Party Isolation will be incorporated in Firefox 52, the basis for the next major version of Tor Browser. As a result, the Tor Browser team won't have to update their First Party Isolation patches for this version. In Firefox, First Party Isolation is disabled by default (because of the compatibility risk), but Firefox users can opt in to using First Party Isolation by going to about:config and setting "privacy.firstparty.isolate" to "true".
We're excited to continue this collaboration in 2017. Work will start soon on uplifting a set of patches that prevent various forms of browser fingerprinting. We'll also be looking at how we can work together on sandboxing, building on the work that Yawning Angel has done for Tor Browser and the Firefox sandboxing features that are scheduled to start shipping in early 2017.
takyon: Where's the long-rumored Tor integration in default Firefox? Make Firefox useful again.
After years of talk, Tor may finally be integrated with the main Firefox browser soon:
The Tor Project announced that it's working with Mozilla to integrate Tor into Firefox. Eventually, this should completely eliminate the need for the Tor Browser, as most of its features would be merged into Firefox's new "super-private mode."
The Tor Browser is based on the Extended Support Release (ESR) version of Firefox, because it's a more stable development cycle that only patches bugs and doesn't add new features for 11 months or so. This means it doesn't disrupt how the Tor Browser works too much, and the Tor Project developers don't have to integrate many new features into their browser every few weeks.
Despite this, the Tor Project developers said that it takes a lot of time to rebase Tor Browser patches to new versions of Firefox. This is why Mozilla has started integrating Tor's patches into Firefox on its own through the "Tor Uplift Project."
Firefox has also adopted new security features from the Tor Browser such as first party isolation (which prevents cookies from tracking you across domains) and fingerprint resistance (which blocks user tracking through canvas elements). However, first party isolation is off by default in Firefox and fingerprint resistance can break some websites. You can enable first party isolation in about:config or by installing this add-on for it.
[...] The developers said all these features would enable a "real" private mode in Firefox, which could completely replace the need for the Tor Browser to exist. This "super-private mode" could be used by hundreds of millions of users eventually, which is why Mozilla first needs to ensure that the Tor network can scale with such usage. That means more people will need to run Tor relays. Mozilla may be able to help here by donating money to nonprofits that can run Tor relays.
Could this be the way to get Firefox above 10% market share (except that if it's done correctly, nobody will be able to measure it)?