Big change is coming "with the support of 'Unix domain sockets', and some other tweaks. A Unix domain socket is basically a way for two programs on the same computer to talk to each other without using an underlying network protocol. With that, the Firefox half of the Tor Browser should no longer need network access, Barnes continued.
"That means that you could run it in a sandbox with no network access (only a Unix domain socket to the proxy), and it would still work fine. And then, even if the Firefox half of Tor Browser were compromised, it wouldn't be able to make a network connection to de-anonymize the user," he said.
This project is a collaboration between the Tor Project and Mozilla, according to Barnes. He said it started when the Tor Project did some work on adding Unix domain socket capabilities to the Tor proxy and browser. After that, Mozilla added a general capability to Firefox allowing it to talk to proxies over Unix domain sockets. And now, the Tor Browser team is working on putting this general capability into the Tor Browser, and Mozilla is helping to fix any bugs that come up, Barnes said."
Related Stories
If you've used Tor, you've probably used Tor Browser, and if you've used Tor Browser you've used Firefox. By lines of code, Tor Browser is mostly Firefox -- there are some modifications and some additions, but around 95% of the code in Tor Browser comes from Firefox. The Firefox and Tor Browser teams have collaborated for a long time, but in 2016, we started to take it to the next level, bringing Firefox and Tor Browser closer together than ever before. With closer collaboration, we're enabling the Tor Browser team to do their jobs more easily, adding more privacy options for Firefox users, and making both browsers more secure.
[...] In 2016, we started an effort to take the Tor Browser patches and "uplift" them to Firefox. When a patch gets uplifted, we take the change that Tor Browser needs and we add it to Firefox in such a way that it's disabled by default, but can be enabled by changing a preference value. That saves the Tor Browser team work, since they can just change preferences instead of updating patches. And it gives the Firefox team a way to experiment with the advanced privacy features that Tor Browser team is building, to see if we can bring them to a much wider audience.
Our first major target in the uplift project was a feature called First Party Isolation, which provides a very strong anti-tracking protection (at the risk of breaking some websites). Mozilla formed a dedicated team to take the First Party Isolation features in Tor Browser and implement them in Firefox, using the same technology we used to build the containers feature. The team also developed thorough test and QA processes to make sure that the isolation in Firefox is as strong as what's in Tor Browser -- and even identified some ways to add even stronger protections. The Mozilla team worked closely with the Tor Browser team, including weekly calls and an in-person meeting in September.
First Party Isolation will be incorporated in Firefox 52, the basis for the next major version of Tor Browser. As a result, the Tor Browser team won't have to update their First Party Isolation patches for this version. In Firefox, First Party Isolation is disabled by default (because of the compatibility risk), but Firefox users can opt in to using First Party Isolation by going to about:config and setting "privacy.firstparty.isolate" to "true".
We're excited to continue this collaboration in 2017. Work will start soon on uplifting a set of patches that prevent various forms of browser fingerprinting. We'll also be looking at how we can work together on sandboxing, building on the work that Yawning Angel has done for Tor Browser and the Firefox sandboxing features that are scheduled to start shipping in early 2017.
takyon: Where's the long-rumored Tor integration in default Firefox? Make Firefox useful again.
Previously: Some Tor Privacy Settings Coming to Firefox
Tor Project and Mozilla Making It Harder for Malware to Unmask Users
(Score: 2, Insightful) by Anonymous Coward on Friday October 14 2016, @02:02PM
Damn! That's so fucking obvious. It is amazing they didn't do it 10 years ago. I don't blame them, hindsight is 20/20.
(Score: 2) by ledow on Friday October 14 2016, @02:22PM
To be honest, I'm thinking that if you're not using Tor on a system that has any way to use something non-Tor as a default gateway, default socket host, default interface, etc. then you're an idiot anyway.
Tor is an anonymising VPN, in effect. Letting things slip outside that VPN is just asking for trouble.
The web browser talking straight to a proxy uninterfered is only part-way to a solution.
DNS, HTTP, HTTPS, Websockets might ALL be forced onto Tor, but what about ANY other activity on your system that might give you away?
(Score: 0) by Anonymous Coward on Friday October 14 2016, @02:41PM
What's wrong with using localhost to communicate with the proxy?
(Score: 4, Interesting) by fishybell on Friday October 14 2016, @04:11PM
Usually your firewall lets localhost communicate to the internet connected ethernet devices. When your only access to the tor network is by using a bridge between localhost and the virtual adapter, essentially anything that can connect to localhost for tor and then connect to your other ethernet devices (automatically via your route configuration).
Unless you have a firewall that has rules on a per-application basis -- ie. only allow firefox to connect to localhost:9050 -- this is a superior solution. As far as I can tell, this is a superior solution to all traffic from firefox, whether you're connecting to the internet through tor or not.
(Score: 0) by Anonymous Coward on Friday October 14 2016, @04:36PM
Agreed, I wouldn't have thought to make Mozilla not need network access.
(Score: 2) by bob_super on Friday October 14 2016, @06:38PM
Now, if we could only make Outlook not need neither network nor system access, we'd cut down on a lot of crapware.
(Score: 2) by termigator on Friday October 14 2016, @08:04PM
IIRC, NCSA Mosaic had the ability to communicate with via a unix domain socket. I wrote a script that would send commands to the browser. Cannot remember the details and if you could render content, but the idea is not new. I think the problem is that such IPC mechanism is *nix-based, so if trying to support other OSes, it does not work.
(Score: 0) by Anonymous Coward on Saturday October 15 2016, @02:09AM
No, but most OSes have support for named pipes. Seems to me that similar security could be carried out by using those instead of UDS.
(Score: 0) by Anonymous Coward on Saturday October 15 2016, @10:23AM
I stopped reading at "other OSes"...
(Score: 1, Interesting) by Anonymous Coward on Friday October 14 2016, @08:16PM
I had the same as what they want for a decade now:
iptables -F
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#Tor:
iptables -A INPUT -p TCP --dport 9001 -j ACCEPT
iptables -A OUTPUT -p TCP -m owner --uid-owner tor -j ACCEPT
This filters all traffic (also DNS) to tor only. Better than what they want, as it's not firefox-specific; rather it will filter all software on my host.
Btw. most people also want:
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
You may also want to repeat with ip6tables. It's remarkably jaw-dropping how much traffic originating from my host is blocked this way. Especially browser addons want to call home all the time. To see that yourself, you can add some logging:
iptables -A OUTPUT -j LOG --log-level info --log-prefix 'blok ' --log-uid
iptables -A OUTPUT -j NFLOG --nflog-group 10
Be careful out there.