Stories
Slash Boxes
Comments

SoylentNews is people

posted by LaminatorX on Tuesday September 30 2014, @01:11PM   Printer-friendly
from the What-does-the-fox-say? dept.

The Daily Dot has a story about a browser vendor who wants to package Tor as part of its private browsing mode. From the article:

Several major tech firms are in talks with Tor to include the software in products that can potentially reach over 500 million Internet users around the world. One particular firm wants to include Tor as a “private browsing mode” in a mainstream Web browser, allowing users to easily toggle connectivity to the Tor anonymity network on and off.

“They very much like Tor Browser and would like to ship it to their customer base,” Tor executive director Andrew Lewman wrote, explaining the discussions but declining to name the specific company. “Their product is 10-20 percent of the global market, this is of roughly 2.8 billion global Internet users.”

The author elaborates:

The product that best fits Lewman’s description by our estimation is Mozilla Firefox, the third-most popular Web browser online today and home to, you guessed it, 10 to 20 percent of global Internet users.

The story appears to have gleaned most of its information from a tor-dev mailing list post. An interesting reply from Tor developer Mike Perry explains how Tor can be modified so that the network can handle the extra load.

Related Stories

Tor Says Feds Paid Carnegie Mellon $1M to Help Unmask Users 28 comments

Wired and others are reporting on a Tor blog post claiming that Carnegie Mellon University researchers were paid by the Federal Bureau of Investigation to help attack Tor hidden services:

"Apparently these researchers were paid by the FBI to attack hidden services users in a broad sweep, and then sift through their data to find people whom they could accuse of crimes," Dingledine writes. "Such action is a violation of our trust and basic guidelines for ethical research. We strongly support independent research on our software and network, but this attack crosses the crucial line between research and endangering innocent users."

Tor's statement all but confirms that Carnegie Mellon's attack was used in the late 2014 law enforcement operation known as Operation Onymous, carried out by the FBI and Europol. That dark web purge took down dozens of Tor hidden services, including several of the most popular Tor-based black markets for drugs including the Silk Road 2, and led to at least 17 arrests. Tor, for its part, has made efforts to subsequently block the attack, which it says it first detected in July of 2014.

When WIRED contacted Carnegie Mellon, it didn't deny the Tor Project's accusations, but pointed to a lack of evidence. "I'd like to see the substantiation for their claim," said Ed Desautels, a staffer in the public relations department of the university's Software Engineering Institute. "I'm not aware of any payment," he added, declining to comment further.

Tor's Dingledine responded to that call for evidence by telling WIRED that it identified Carnegie Mellon as the origin of the attack by pinpointing servers running on Tor's network that were used in the de-anonymization technique. When it asked Carnegie Mellon if the servers were being run by its researchers—a suspicion based on the canceled Black Hat conference presentation—the anomalous servers disappeared from the network and the university offered no response. The $1 million payment, Dingledine says, was revealed to Tor by "friends in the security community."

Previously:

July 26, 2014: Russia Offers $111,000 to Break TOR Anonymity Network
September 30, 2014: Tor Executive Hints at Firefox Integration
November 8, 2014: Huge Raid to Shut Down 400-plus DarkNet Sites
November 10, 2014: Tor Project Mulls How Feds Took Down Hidden Websites
November 17, 2014: Is Tor a Honeypot?
December 22, 2014: Servers Seized After Tor Developers Warn of Potential Government Attempt To Take Down Network


Original Submission

Tor at the Heart: Firefox 15 comments

If you've used Tor, you've probably used Tor Browser, and if you've used Tor Browser you've used Firefox. By lines of code, Tor Browser is mostly Firefox -- there are some modifications and some additions, but around 95% of the code in Tor Browser comes from Firefox. The Firefox and Tor Browser teams have collaborated for a long time, but in 2016, we started to take it to the next level, bringing Firefox and Tor Browser closer together than ever before. With closer collaboration, we're enabling the Tor Browser team to do their jobs more easily, adding more privacy options for Firefox users, and making both browsers more secure.

[...] In 2016, we started an effort to take the Tor Browser patches and "uplift" them to Firefox. When a patch gets uplifted, we take the change that Tor Browser needs and we add it to Firefox in such a way that it's disabled by default, but can be enabled by changing a preference value. That saves the Tor Browser team work, since they can just change preferences instead of updating patches. And it gives the Firefox team a way to experiment with the advanced privacy features that Tor Browser team is building, to see if we can bring them to a much wider audience.

Our first major target in the uplift project was a feature called First Party Isolation, which provides a very strong anti-tracking protection (at the risk of breaking some websites). Mozilla formed a dedicated team to take the First Party Isolation features in Tor Browser and implement them in Firefox, using the same technology we used to build the containers feature. The team also developed thorough test and QA processes to make sure that the isolation in Firefox is as strong as what's in Tor Browser -- and even identified some ways to add even stronger protections. The Mozilla team worked closely with the Tor Browser team, including weekly calls and an in-person meeting in September.

First Party Isolation will be incorporated in Firefox 52, the basis for the next major version of Tor Browser. As a result, the Tor Browser team won't have to update their First Party Isolation patches for this version. In Firefox, First Party Isolation is disabled by default (because of the compatibility risk), but Firefox users can opt in to using First Party Isolation by going to about:config and setting "privacy.firstparty.isolate" to "true".

We're excited to continue this collaboration in 2017. Work will start soon on uplifting a set of patches that prevent various forms of browser fingerprinting. We'll also be looking at how we can work together on sandboxing, building on the work that Yawning Angel has done for Tor Browser and the Firefox sandboxing features that are scheduled to start shipping in early 2017.

takyon: Where's the long-rumored Tor integration in default Firefox? Make Firefox useful again.

Previously: Some Tor Privacy Settings Coming to Firefox
Tor Project and Mozilla Making It Harder for Malware to Unmask Users


Original Submission

Project Fusion: Tor Integration With Firefox May Finally be Happening 11 comments

After years of talk, Tor may finally be integrated with the main Firefox browser soon:

The Tor Project announced that it's working with Mozilla to integrate Tor into Firefox. Eventually, this should completely eliminate the need for the Tor Browser, as most of its features would be merged into Firefox's new "super-private mode."

The Tor Browser is based on the Extended Support Release (ESR) version of Firefox, because it's a more stable development cycle that only patches bugs and doesn't add new features for 11 months or so. This means it doesn't disrupt how the Tor Browser works too much, and the Tor Project developers don't have to integrate many new features into their browser every few weeks.

Despite this, the Tor Project developers said that it takes a lot of time to rebase Tor Browser patches to new versions of Firefox. This is why Mozilla has started integrating Tor's patches into Firefox on its own through the "Tor Uplift Project."

Firefox has also adopted new security features from the Tor Browser such as first party isolation (which prevents cookies from tracking you across domains) and fingerprint resistance (which blocks user tracking through canvas elements). However, first party isolation is off by default in Firefox and fingerprint resistance can break some websites. You can enable first party isolation in about:config or by installing this add-on for it.

[...] The developers said all these features would enable a "real" private mode in Firefox, which could completely replace the need for the Tor Browser to exist. This "super-private mode" could be used by hundreds of millions of users eventually, which is why Mozilla first needs to ensure that the Tor network can scale with such usage. That means more people will need to run Tor relays. Mozilla may be able to help here by donating money to nonprofits that can run Tor relays.

Could this be the way to get Firefox above 10% market share (except that if it's done correctly, nobody will be able to measure it)?

Fusion Project overview


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Insightful) by MrGuy on Tuesday September 30 2014, @01:58PM

    by MrGuy (1007) on Tuesday September 30 2014, @01:58PM (#99996)

    Tor's anonymization works best when there are a lot of users making a lot of queries at the same time, preferably visiting the same sites - it's much harder to sort through the noise and pinpoint individual users. Also, it makes it harder for an attacker with access to a few nodes to gather sufficient data to de-anonymize individuals. As long as the network can handle the load (which needs to be proven), this seems like a Good Thing.

    • (Score: 3, Insightful) by Random2 on Tuesday September 30 2014, @03:19PM

      by Random2 (669) on Tuesday September 30 2014, @03:19PM (#100024)
      Well, maybe.

      As I understand Tor, all traffic on the network is randomly routed through all nodes attached to it (not necessarily that a packet hits every possible node, rather than any given node may route packets). Will that be the case if I have a browser integrated with Tor? Will I be seeing a significant increase in network activity on my connection? I already have a terrible enough connection as is (and no alternatives, gotta love the monopoly), and if it meant taking my 0.6 meg/s connection and slowing it even further, well...
      --
      If only I registered 3 users earlier....
  • (Score: 3, Insightful) by botfap on Tuesday September 30 2014, @02:12PM

    by botfap (4761) on Tuesday September 30 2014, @02:12PM (#100000)

    Because TOR doesn't have the deployed infrastructure to deal with that level of traffic. Even if Mozilla invested a huge amount of cash and deployed a CLEAN and SECURE global TOR network to deal with the traffic then the security aspect would last for a few months maximum. How long do you think it will take local law enforcement around the world to get court orders to get their fingers in the relays and exit nodes created by Mozilla? At this point its no longer suitable for serious use. The existing TOR infrastructure is already heavily compromised anyway, unless you have a carefully maintained white list of nodes and relays you shouldn't really consider the service anonymous any more (for serious law enforcement purposes).

    Also the most common use for encryption / vpn services (im a sysadmin for a VPN company) is for porn. TOR doesn't work well for instant satisfaction video porn, too much redundant traffic on the network.

    --
    -- I once killed a sea lion with my bare hands for stroking its whiskers on my genitals
    • (Score: 4, Interesting) by takyon on Tuesday September 30 2014, @02:39PM

      by takyon (881) <reversethis-{gro ... s} {ta} {noykat}> on Tuesday September 30 2014, @02:39PM (#100006) Journal

      If Tor mode is treated as a separate layer from privacy/incognito mode, that would cut down on the amount of users. If users find it slow to load videos, they will stop using it for that purpose, and just use incognito mode (clear cookies/cache/etc. on exit). If NoScript, similar built-in functionality, or other privacy extensions are included and turned on by default, that would cause a bunch of porn and other sites to fail by default.

      If court orders will bring down Tor, why haven't law enforcement already done this? According to EFF [torproject.org], "No, we aren't aware of anyone being sued or prosecuted in the United States just for running a Tor relay. Further, we believe that running a Tor relay - including an exit relay that allows people to anonymously send and receive traffic - is legal under U.S. law."

      Obviously if the userbase increases by 10x there will be more interest in subverting Tor. People (NSA, Carnegie Mellon [torproject.org], whoever) will get in, but those vulnerabilities can be fixed. You say that Tor is heavily compromised because of bad nodes, but the expansion of the network could mitigate the risk.

      I think it remains to be seen whether this is a good idea or not. Mozilla may not go through with it, Tor may not be able to make the fixes needed to scale, law enforcement, the courts, or the spooks could poke gaping holes in the network, but it's still too early to tell.

      --
      [SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
    • (Score: 0) by Anonymous Coward on Tuesday September 30 2014, @03:07PM

      by Anonymous Coward on Tuesday September 30 2014, @03:07PM (#100016)

      Also the most common use for encryption / vpn services (im a sysadmin for a VPN company) is for porn.

      How do you figure that? Are you talking about people in countries where porn is illegal? Or people surfing porn at work?
      I can't really see them being anywhere near the volume of bittorrent piracy users. Perhaps your VPN company targets a niche demographic?

      • (Score: 2) by cykros on Wednesday October 01 2014, @07:36PM

        by cykros (989) on Wednesday October 01 2014, @07:36PM (#100610)

        It sounds like he's figuring it based on logs.

        As for "niche demographic", it may just be that he's working for a VPN that isn't particularly pirate friendly. Not all of them will just turn a blind eye to piracy, and some will happily drop you like a bad habit for breaching terms of service.

        Others do things like run the whole system in RAM and keep no logs. If THOSE had more porn use than piracy (and it was for legal porn), you'd definitely have to color me surprised.

    • (Score: 1, Informative) by Anonymous Coward on Tuesday September 30 2014, @03:17PM

      by Anonymous Coward on Tuesday September 30 2014, @03:17PM (#100020)

      I think you just got post 100,000!

    • (Score: 2) by cykros on Wednesday October 01 2014, @07:33PM

      by cykros (989) on Wednesday October 01 2014, @07:33PM (#100608)

      You're telling me more people use VPN's for porn than for piracy?

      I guess I probably can't ask you for specific data or anything, but damn, that's a bit surprising if accurate. Maybe people are more shy about watching porn (like everyone else) than I realized.

    • (Score: 2) by urza9814 on Friday October 03 2014, @10:56PM

      by urza9814 (3954) on Friday October 03 2014, @10:56PM (#101542) Journal

      You realize Tor is peer-to-peer, right...?

      How exactly is law enforcement going to install spyware on 10-20 percent of all PCs *around the world*? Good luck getting and enforcing a court order from a US judge to go snoop around on a PC in Russia...

  • (Score: 3, Informative) by takyon on Tuesday September 30 2014, @02:15PM

    by takyon (881) <reversethis-{gro ... s} {ta} {noykat}> on Tuesday September 30 2014, @02:15PM (#100002) Journal

    Interest in the Tor Browser Bundle has skyrocketed: 2.5 million daily users, 150 million downloads [bbc.com] of the Firefox + Tor bundle in the past year. The scaling proposal linked in the summary suggests 100 million Tor users is possible, albeit with some serious coding work for multicore, etc. Mozilla claims there are 450 million [wikipedia.org] Firefox users.

    They are interested in including Tor as their "private browsing mode" and basically shipping a re-branded tor browser which lets people toggle the connectivity to the Tor network on and off.

    If the main build of Firefox ships with built-in Tor, it could be treated as a second toggle on top of private browsing mode. So one action to open a new private tab/window, and then another to switch to private Tor. That would reduce the number of clueless users while preventing them from suffering speed/other issues. Or Mozilla could go all in and make the private mode into Tor mode, a big move.

    They're willing to entertain offering their resources to help us solve the scalability challenges of handling hundreds of millions of users and relays on Tor.

    5. Invest in the Tor network. Based purely on extrapolating from the Noisebridge relays, we could add ~300 relays, and double the network capacity for $3M/yr, or about $1 per user per year

    That comes out to less than $1/user when the other improvements are added (#5 is treated as if none of the other scaling ideas are implemented).

    Mozilla has plenty of revenue from Google. They could afford to spend $10 million a year on improving Tor development and operating relays. And they wouldn't be alone in chucking cash at the project. It may boost market share of Firefox slightly, which in turn leads to more Google search cash. I think more people would hear about Tor as a default Firefox feature than as a separate browser bundle, which would lead to greater interest and Firefox use.

    About Chrome's incognito mode [google.com]:

    • Your browsing history isn’t recorded. The webpages you open and the files you download in incognito mode aren’t recorded in your browsing and download histories.
    • Your cookies are deleted. All new cookies are deleted after you close all incognito windows.
    • You can switch easily between incognito and regular mode. You can have both incognito mode windows and regular windows open at the same time, and switch between the two.
    • Extensions are disabled. Your extensions are automatically disabled in incognito windows. This is because Google Chrome does not control how extensions handle your personal data. If you want an extension to show up in incognito windows, select the “Allow in incognito” checkbox for the extension.

    As you can see incognito mode is limited. It doesn't do much more than what a user could do before (clearing history, cache, cookies), but it segregates normal and private windows and makes it easy on the user. Firefox's current scheme [mozilla.org] is the same.

    Do Not Track [wikipedia.org] is basically a failure [theregister.co.uk]. These modes can enable it, and that might stop some % of tracking. But Tor Browser Bundle comes with NoScript and HTTPS-Everywhere by default. If Mozilla implements Tor, it would likely include these extensions and maybe more. It could come with an expanded default whitelist for NoScript, and possibly other extensions like Privacy Badger. Put all of these features together and you have a browser that could at least try to achieve privacy. DNT+Tor+NoScript+HTTPS+Privacy Badger will probably confound advertisers and others (unless Tor security breaks for months at a time, as researchers have been hinting at).

    Another thing that will reduce the potential user base for this feature: certain countries might try to block Firefox's automatic update servers after the feature is announced. Like Iran, where Firefox apparently has 46% market share. Organizations using Firefox ESR might postpone a Tor-by-default browser indefinitely.

  • (Score: 2, Interesting) by Rosco P. Coltrane on Tuesday September 30 2014, @04:13PM

    by Rosco P. Coltrane (4757) on Tuesday September 30 2014, @04:13PM (#100045)

    It's fine if you don't know what you're doing (or you don't have time to fiddle around with the Firefox settings) but I prefer a properly configured Firefox install.

    For instance: I'm at home. I don't care about storing passwords on my hard drive, but I do want to use Tor for when I visit sites on which I have no account. With Tor browser, I'm SOL - storing passwords plain doesn't work.

    Or, the Torbutton cookie manager won't let me use a better, third-party cookie manager. Why?

    Yet, for all its claims of security and anonymity, JS is enabled by default on Tor Browser. Well that's plain unacceptable.

    Tor Browser is a botched Firefox with extra problems. I say download the regular Firefox, install the usual add-ons (ABE, Ghostery, User Agent Randomizer, Noscript, Flashblock, a proper cookie manager, a proper proxy switcher...), take the time to configure it in a way that's sensible for your intended usage, install Vidalia and Tor (why oh why won't they release a plain-Jane Vidalia bundle? But I digress...) and you'll be much happier than with Tor Browser, albeit at the cost of taking time to set things up intelligently.

    • (Score: 1, Insightful) by Anonymous Coward on Tuesday September 30 2014, @05:20PM

      by Anonymous Coward on Tuesday September 30 2014, @05:20PM (#100060)
      People who don't know what they are doing are unlikely to use Tor properly.

      They may use an identifiable name/message/sig/phrase when posting something (e.g. they post an identifiable message on soylentnews using Tor immediately/before/while doing something else that's supposed to be anonymous). Or do other things that might help identify them (log in to certain websites at certain times).

      Privacy and anonymity are subtly different things, you have to do things right to achieve both of them.
    • (Score: 2) by cykros on Wednesday October 01 2014, @07:42PM

      by cykros (989) on Wednesday October 01 2014, @07:42PM (#100614)

      Not a bad solution, IF you're insisting on using the system on your already existing host system. Which in general is an unnecessary risk to take in 99% of cases.

      T(A)ILS uses many more methods to ensure that things aren't leaking, down to including a transparent proxy with iptables that enforces ALL TCP traffic goes through Tor, and blocks UDP (measures are taken such that DNS still can work). And it doesn't touch your hard drive unless you go out of your way to tell it to.

      Why again are we suggesting people use browser only solutions to ensuring their connection to a darknet is secure? It does make for some amusing news stories about dumb criminals, but really, it's worth avoiding where possible.

      • (Score: 1) by Rosco P. Coltrane on Wednesday October 01 2014, @09:01PM

        by Rosco P. Coltrane (4757) on Wednesday October 01 2014, @09:01PM (#100659)

        Not a bad solution, IF you're insisting on using the system on your already existing host system. Which in general is an unnecessary risk to take in 99% of cases

        That's not the point.

        Most people assume Tor is used by those who want to buy drugs or find kiddie porn, by whistleblowers or by dissidents in dicatorships. But that's not my case: I live in a (pseudo-)democracy, and I use Tor, along with Ghostery, Random Agent Spoofer, Noscript and the others, to make it harder for Google, national spying agencies and other snooping sumbitches to track the sites I visit on the internet, profile me, and profit off of my browsing habits. I only visit a few sites on the darknet, most notably DuckDuckGo and SoylentNews - the former as a non-Google, non-Microsoft search engine that doesn't require going through an exit node, and the latter as a version of Slashdot that supports https.

        As such, I don't care if it writes on my hard-disk, or if part of the traffic doesn't go through Tor all of the time. All I want is to make my browsing patterns confusing. I definitely don't need the full-blown Tor Browser paranoia for my usage: just a Tor proxy, a few add-ons, and sane habits on the internet.

        In fact, there are times I *don't* want to go through Tor, typically to visit passworded http (not-s) sites: in this case, I trust the Tor exit node that'll proxy my traffic even less than I trust the usual corporate and state snoops.

        Of course, if I was into drugs or whistleblowing, I most certainly would use Tor Browser in its default configuration (but with Javascript disabled) to do my browsing. But since I'm not, Tor Browser just gets in my way more than I can bear.

        And it doesn't touch your hard drive unless you go out of your way to tell it to.

        Not true: no matter what you do, again, it won't let you save passwords on the hard drive - with or without a master password. I do believe it is a bug, but it's been there for such a long time, I wonder if it's not by design after all. Tor Browser is annoying in many ways, but I can live with the annoyances. But the password saving bug is one annoyance too many for me.

        • (Score: 2) by cykros on Wednesday October 08 2014, @02:49AM

          by cykros (989) on Wednesday October 08 2014, @02:49AM (#103422)

          Not true: no matter what you do, again, it won't let you save passwords on the hard drive - with or without a master password. I do believe it is a bug, but it's been there for such a long time, I wonder if it's not by design after all.

          If it's not by design, it's a very good bug to have. If you're going for less paranoia, you can definitely configure on your own at your own risk, but there's no good reason that the Tor Browser would have to allow password saving by default. Generally speaking, a lot of Tor user deobfuscation has centered around driveby malware, and stealing the saved passwords would go a long way to putting together an identity by any particularly determined attacker, especially state sponsored. I'm curious as to how it is stopped though; I'd have a look in about:config.

  • (Score: 2) by turgid on Tuesday September 30 2014, @08:47PM

    by turgid (4318) Subscriber Badge on Tuesday September 30 2014, @08:47PM (#100116) Journal

    Call me paranoid, but...,

    We live in a world full of "normal people" i.e. not tech-savvy people, and a world run by knee-jerk [bbc.co.uk] authoritarian politicians [theguardian.com]. Even in traditional liberal democracies, we are creeping towards totalitarian police states. Meanwhile, the facists crack the whip [bbc.co.uk].

    In the eyes of "normal people" and politicians, who uses TOR? Who could possibly want to be anonymous on the Internet? Terrorists, paedophiles, drug dealers and drug users [channel4.com], of course!

    "Normal people" - and by extension the politicians who want to get their votes - have the issues presented to them in these [dailymail.co.uk] terms [express.co.uk]. Evil, evil and more evil.

    And Jihadists are planning an encryption-protected cyber caliphate [dailymail.co.uk], would you believe?

    So are you with us, or against us?

    In this simplistic modern world, guilt by association is a given. I do not want TOR built into my web browser. No way.

    • (Score: 2) by jimshatt on Tuesday September 30 2014, @10:01PM

      by jimshatt (978) on Tuesday September 30 2014, @10:01PM (#100131) Journal
      Except when suddenly a pretty large number of people start using it. Then you can't say "TOR thus evil scum" anymore, because your mom uses it too (oh yes she does!). Moreover, it supplies some plausible deniability, whereas having the TOR browser installed makes you a suspect.
      • (Score: 2) by turgid on Wednesday October 01 2014, @07:46PM

        by turgid (4318) Subscriber Badge on Wednesday October 01 2014, @07:46PM (#100617) Journal

        OK, then, you first! :-)

        Casual spying is automated these days, so I'm under no illusions about being monitored. I just imagine that having TOR on your network puts you higher up the list of potentially interesting people.

        Not that I have anything to hide, you understand, not at this stage. My voting record is pretty standard and unremarkable by subversive standards :-)