Tor at the Heart: Firefox

by ssteele | December 30, 2016

During the month of December, we're highlighting other organizations and projects that rely on Tor, build on Tor, or are accomplishing their missions better because Tor exists. Check out our blog each day to learn about our fellow travelers. And please support the Tor Project! We're at the heart of Internet freedom.
Donate today!

Firefox <3 Tor Browser

by Ethan Tseng and Richard Barnes

If you’ve used Tor, you’ve probably used Tor Browser, and if you’ve used Tor Browser you’ve used Firefox. By lines of code, Tor Browser is mostly Firefox -- there are some modifications and some additions, but around 95% of the code in Tor Browser comes from Firefox. The Firefox and Tor Browser teams have collaborated for a long time, but in 2016, we started to take it to the next level, bringing Firefox and Tor Browser closer together than ever before. With closer collaboration, we’re enabling the Tor Browser team to do their jobs more easily, adding more privacy options for Firefox users, and making both browsers more secure.

The Tor Browser team builds Tor Browser by taking Firefox ESR and applying some patches to it. These changes add valuable privacy features for Tor Browser users, but having these changes also means that every time the Tor Browser team wants to use a new version of Firefox, they have to update the patches to work with the new version. These updates take up a substantial fraction of the effort involved in producing Tor Browser.

In 2016, we started an effort to take the Tor Browser patches and “uplift” them to Firefox. When a patch gets uplifted, we take the change that Tor Browser needs and we add it to Firefox in such a way that it’s disabled by default, but can be enabled by changing a preference value. That saves the Tor Browser team work, since they can just change preferences instead of updating patches. And it gives the Firefox team a way to experiment with the advanced privacy features that Tor Browser team is building, to see if we can bring them to a much wider audience.

Our first major target in the uplift project was a feature called First Party Isolation, which provides a very strong anti-tracking protection (at the risk of breaking some websites). Mozilla formed a dedicated team to take the First Party Isolation features in Tor Browser and implement them in Firefox, using the same technology we used to build the containers feature. The team also developed thorough test and QA processes to make sure that the isolation in Firefox is as strong as what’s in Tor Browser -- and even identified some ways to add even stronger protections. The Mozilla team worked closely with the Tor Browser team, including weekly calls and an in-person meeting in September.

First Party Isolation will be incorporated in Firefox 52, the basis for the next major version of Tor Browser. As a result, the Tor Browser team won’t have to update their First Party Isolation patches for this version. In Firefox, First Party Isolation is disabled by default (because of the compatibility risk), but Firefox users can opt in to using First Party Isolation by going to about:config and setting “privacy.firstparty.isolate” to “true”.

We’re excited to continue this collaboration in 2017. Work will start soon on uplifting a set of patches that prevent various forms of browser fingerprinting. We’ll also be looking at how we can work together on sandboxing, building on the work that Yawning Angel has done for Tor Browser and the Firefox sandboxing features that are scheduled to start shipping in early 2017.

Finally, we should recognize the value of the continued collaboration between Mozilla and the Tor Project with regard to security vulnerabilities. The importance of this collaboration was on display only a few weeks ago, when we were both simultaneously notified of a zero-day exploit targeted at Tor Browser using a vulnerability in Firefox. Working together, we were able to develop, test, and ship a fix to both browsers in under 24 hours.

The collaboration between the Firefox and Tor Browser teams is a great example of how Mozilla’s principles of openness and participation can help advance security and privacy in the Internet. We’re proud of all we’ve accomplished together with the Tor Project in 2016, and we’re looking forward to continuing to making the web more secure and more private.

Comments

Please note that the comment area below has been archived.

December 30, 2016

Permalink

As a Firefox user from version 2, I'm very proud about the work Mozilla does for an open private and secure Internet. Thanks to Mozilla for being one of the few arms against Google's hostility.

It doesn't work because of some nasty canvas element. However, current TOR browser asks for permissions. It only works if you use the torbutton extension. If you don't you can use the "Permissions Auto Registerer" extension with the following setting (prefs.js / user.js format):
pref("extensions.autopermission.sites.extratorrent.cc", "canvas/extractData=1");

December 30, 2016

Permalink

So the new TBB will no longer be based on esr?

What about Orfox?

Thanks for all the necessary work over the last year!

I don't think that's what it means. Tor Browser will still be based on ESR unfortunately, and the next ESR will be ESR52. It's unfortunate because ESR does not fix any bugs marked low or moderate severity, so for Tor Browser will build up bugs for each year that are low and moderately severe, and does not get them fixed, only fixing high and critical severity bugs.

December 30, 2016

Permalink

Vice versa Copycats

Firefox also added font tracking protection, something Torbrowser already had.
But I hope Firefox is not making the same mistake Torbrowser has.

It seems that font tracking on Torbrowser is still possible by system which is a risk too.
It looks like the "font.system.whitelist" differs for the different os versions, Windows version has some 7 more fonts anyway.
Shouldn't you remove the Microsoft and Apple named fonts? And or the ones that are specifically related to one OS?
There is also a mistake in the MacOs list, one dot to many in this name " .Helvetica Neue DeskInterface " .

No OS font tracking tracking should be the idea right?

https://trac.torproject.org/projects/tor/ticket/18097 has a description you might want to read. It explains what we are currently doing. I am not sure I understand your point about different fonts for "different os versions". Maybe you mean things like https://trac.torproject.org/projects/tor/ticket/17999?

Regarding ".Helvetica Neue DeskInterface" that seems to be correct spelling.

December 30, 2016

Permalink

That are very good news : First Party Isolation (firefox 52 !) & set of patches that prevent various forms of browser fingerprinting (2017)
Mozilla should help & donate more ;)
I went on eff site (fingerprint tracking test page) & i read that Tor team should make soon its own fingerprint page/test :
- When will it be available ?
- will you please inform us what are exactly the right settings that everyone must have to be 'invisible' ? is it yet done per default ? can i uncheck the cookies option, the check my spell option , the other search engine(i hate twitter&google) ?
Thank you very much for your fantastic improvement & happy new year 2017 !

We had a GSoC project, Fingerprint Central, in 2016 which we are incorporating into our Q&A efforts right now. You can find a beta version on: https://fpcentral.irisa.fr/ The integration should be done in a couple of months.

The question about the exactly right settings is a tricky one as the behavior of other Tor Browser users plays a role here. But a good strategy is to keep Tor Browser as we ship it and adjust your security level according to your needs using only the security slider.

January 06, 2017

In reply to gk

Permalink

Thank you you very much for your answer and i will follow the good strategy.

It is a fr site but written in uk/us and with no script checked on ; my fingerprint is discreet.
- i do not see if my browser fingerprint is more or less anonymous according on the default setting and the other user (where is this percentage indication ?) ;
-i do not see some advice like -e.g replace your user-agent (take this one it is the same than the most user) or shut down your camera embedded.
- i do not see my vpn or the server (node) ;
- i do not see the version of tor (is it not strange ?).

December 30, 2016

Permalink

Just sayin, but I love Firefox for NOT being from Google ;). And I love how Firefox and Tor (Browser) development is bringing us a better and safer browsing experience :). Thank you!

I talked to Linus Neumann from the CCC content team back in September, and we concluded that this wasn't the right timing for another state of the onion talk at CCC. That is, I did not submit the talk.

That said, we had a great meet-up of maybe 150 people and we talked about many things for two hours:
https://events.ccc.de/congress/2016/wiki/Session:Tor
and then another one of maybe 50 relay operators the next night:
https://events.ccc.de/congress/2016/wiki/Session:Tor_Relays_Operators_M…

I personally enjoyed Congress a lot more when I didn't have to spend two weeks leading up to it preparing my brain for a talk in front of 5000 people, and then the days after it trying to follow up to all the press buzz it created. This time I could actually sit down and talk to people, and that's what I did for four days straight.

Oh, and one more possibly useful answer: I'd say this 'Tor at the heart of Internet freedom' blog post series is a pretty great state of the onion, right?

December 30, 2016

In reply to arma

Permalink

D-mn right!

"Tor at the Heart": best idea I never thought of! :)

WHY ? Really? (You may have noticed that there were no other talks from Tor People either)

Probably, because a lot of people in the CCC didn't like the trail by rumour thing that happen in the middle of the year... especially because people like [names the anonymous commenter wanted everybody to hassle more redacted] are still working or affiliated with the Tor Project & Company.

December 30, 2016

Permalink

Uplifting Tor, I love it!

Thanks so much to Mozilla for giving Firefox to the world, to the FF devs for working to incorporate some of TB's features in FF, and to Mozilla for its role in cracking down on untrustworthy Certificate Authorities (DigiNotar and too many others).

Speaking of which, do you agree that onion services may point the way toward a solution to the CA mess?

December 31, 2016

Permalink

Glad to see the work of Tor developers coming into Firefox! However you didn't mention Selfrando, is it coming forward to Firefox?

December 31, 2016

Permalink

If mozilla sincerely wanted to promote anonymity they would include a warning on each visited link (broken sites as you call them) of what they require in order to view the information they provide. Just like on the https-everywhere a warning saying that the link you are about to open requires identification of the user and prohibits anonymity. This may create pressure from the conscious browser user on the sites about the reasons they enforce identity collection of visitors. Of course there would be very very few sites that the warning would not come up, but hey. Do people really know while using firefox that their every-step is being recorded and crosstabulated with all the rest of their identifying activity? No! They assume if they are not asked for a username and pw their visit is anonymous. Add no-script and https-everywhere on firefox and 95% of the internet is gone.

The sandboxing release may be something a professional developer can employ but neither debian or tor seem to provide any practical information of you are to get this thing to work. Some basic steps and suggested commands would be great. Even the flatpak -help shows very little info of how to make it run. Good-old tails is the most sandboxing fun you can have with your ID on.

> If mozilla sincerely wanted to promote anonymity they would include a warning on each visited link (broken sites as you call them) of what they require in order to view the information they provide.

Do you mean like which identifying JavaScript/CSS/SVG/etc API functions the site is using? E.g. screen resolution, fonts, etc. Sort of like Android's permissions?

> Just like on the https-everywhere a warning saying that the link you are about to open requires identification of the user and prohibits anonymity.

I'm not sure what you're referring to. I don't think I've ever seen such a warning. Can you elaborate on this?

> Do people really know while using firefox that their every-step is being recorded and crosstabulated with all the rest of their identifying activity?

Most Firefox users (or users of any other browser besides Tor Browser) have probably never thought of it, and don't really care that much. If they do care, they're better of downloading Tor Browser. Does it make sense for Mozilla to do all the work you're suggesting when they could simply say "if you care about anonymity, download Tor Browser"?

> The sandboxing release may be something a professional developer can employ but neither debian or tor seem to provide any practical information of you are to get this thing to work.

I don't think the Tor Browser sandbox uses flatpak at all. I think it's written from scratch, and it's still in early development, so it'll get easier to use with time.

> I don't think the Tor Browser sandbox uses flatpak at all. I think it's written from scratch, and it's still in early development, so it'll get easier to use with time.

Kind of sort of. It uses something that the flatpak developers wrote called bubblewrap at runtime to do container setup.

The documentation (that was explicitly linked from the release blog post, and my release e-mail) specifically calls for bubblewrap so I'm not sure why they installed flatpak or are looking at flatpak.

Assuming bubblewrap is installed, it just is extract, run, and click buttons (nb: if they're running a grsec kernel there's one more step involved due to a build/go compiler issue).

January 02, 2017

In reply to yawning

Permalink

My mistake. I didn't realize bubblewrap part of Flatpak. Even so, I too don't know why the OP mentioned "flatpak -help" if the sandbox is only based on bubblewrap. I haven't tried the sandbox quite yet, but I guess some users are having trouble with it.

Perhaps UX work and documentation would be helpful, but if/when the sandbox makes it into mainline Tor Browser, Tails, or Whonix/Qubes I imagine it'll be completely transparent when using that product.

yawning

January 01, 2017

In reply to arma

Permalink

Those instructions are out of date because binaries are available now, and the dependencies have changed in master since then.

Really most people should just use the binaries unless it crashes for them due to the two crash bugs that I fixed...

January 03, 2017

In reply to yawning

Permalink

Working instructions for non-Qubes-Whonix using the available binaries is below. This should also work with other platforms with minor changes:

https://www.whonix.org/wiki/Tor_Browser#Sandboxing_Tor_Browser_in_Non-Q…

Sandbox is not working in Qubes-Whonix due to problems (unresolved) with bubblewrap, see here:

https://github.com/projectatomic/bubblewrap/issues/134

Even the bubblewrap and Qubes developers are mystified, since the Qubes kernel is very similar to upstream kernel.

Yawning, does this info help to further investigate that Tor Ticket re: "Can't mount proc on /newroot/proc: Operation not permitted"?

At a glance, those instructions are pulling in unneeded dependencies (there is a difference between build and run-time dependencies for the project). But I don't use Qubes-Whonix at all, or Debian for that matter so I can't really comment on the rest of it.

January 03, 2017

Permalink

What is life without Firefox? I can't imagine. Have used Firefox from their v2 till today. Simply have loved the browser and Mozilla's principles. Went ahead to become Mozilla Student Rep and now a Mozilla Rep. You've done so much for the web. I'll do anything possible to Mozilla :)

January 03, 2017

Permalink

In light of all the emphasis on security, and privacy concerns, why does Firefox require all kinds of permissions on their mobile browsers?

That's good to hear! Anything in particular you want to help with? If you want to work on Tor Browser and don't know where to start, we have tickets in our bug tracker marked with "tbb-easy": https://trac.torproject.org/projects/tor/query?status=!closed&keywords=….

If you want to help upstreaming patches or want to work on the Firefox side, just ping us. One easy way to do so is to drop by at our weekly Tor Browser meeting in #tor-dev at irc.oftc.net which is happening on Mondays 1900 UTC.

January 05, 2017

Permalink

>That saves the Tor Browser team work, since they can just change preferences instead of updating patches.

How about the numerous cases when Mozilla have removed some features from their browser as "unused" though they were really heavily used by usual firefox users? Your feature will be used even rarier, so I guess they more likely remove them. How about the cases when Mozilla incorporate malicious functionality into their browser: Hello, Pocket, WebRTC PeerConnection, telemetry, healthreport and mandatory addon signing? How about eliminating powerful addons and making Firefox a gecko-based clone of Chrome?

We obviously cannot rely on Mozilla and need own fork.

January 06, 2017

Permalink

The most mistake Firefox has ever made is adding WebRTC without any security warning, how mayny users leaks their real IP.

January 08, 2017

Permalink

Can Torproject still be careful during this collaboration and others into the future, please. Sometimes the bigger things gets the easier it is to fall.

January 11, 2017

Permalink

Firefox developers read this, really?
If so, please, reply.

From Bugzilla:
If we are going to drop support for non-SSE machines, most of which are Athlon XP CPUs, then we at the very least need to get our messaging right and stop this from looking like a crash.

And what they did?
They made Firefox crashing during start right after the update!

Now they are going to "improve" support by dropping Win XP and Vista. Even in the middle of Extended SUPPORT Release, EPIC!

What's next?

January 15, 2017

Permalink

What will happen to TBB users who still use xp and vista after firefox drops their support for these systems?

January 18, 2017

Permalink

@ FF devs: thanks for making Firefox!

Years ago we reported that newer versions of Firefox do not protect users who don't wish to download images by default from html5, and this was assigned a low priority.

Just wanted to point out that this bug ("feature") has an adverse impact on Tor users. Tor tends to be too slow for those with slow internet connections if we cannot disable automatic image loading.

Any chance of finally getting this problem fixed in next FF?