Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Temporary Containers redundant with TCP / FPI? #1519

Closed
stoically opened this issue Jul 31, 2022 · 52 comments
Closed

Temporary Containers redundant with TCP / FPI? #1519

stoically opened this issue Jul 31, 2022 · 52 comments

Comments

@stoically
Copy link

Hey, I've noticed that you mention that TC is redundant with TCP / FPI. From my perspective that is not the case. I've written down my thoughts on that here https://github.com/stoically/temporary-containers/wiki/Comparison#total-cookie-protection and I'd be interested if I'm wrong with my claims?

You also mention that "in-session clearing is a false sense of privacy". Generally I agree, however, with TCP and FPI you get long-term storage. While with TCs the storage is gone together with the container, so I feel like that's a distinction that could still be highlighted. Also, personally, I'd say that if the bar is "everything that doesn't give you full privacy is a false sense of privacy" then that rules out everything besides Tor browser still.

Thanks for your efforts and please let me know if you spot inconsistencies in my perspectives.

@remyabel2
Copy link

If your use case is partitioning websites (which I think a lot of privacy-focused people were doing) then they are redundant in that sense. As dFPI partitions websites with ETP Strict, TC is redundant here. Arkenfox has preferences to sanitize on shutdown to prevent persistent storage and does not recommend using custom ETP settings (but setting exceptions instead). The threat model here excludes first party tracking as if you log into sites, they already know who you are. In-session sanitizing won't really do anything without changing your IP on other sites. This is why it's recommended you use Tor Browser if your threat model calls for it.

However, people still use containers for managing multiple accounts, but this doesn't really have anything to do with tracking.

@stoically
Copy link
Author

stoically commented Jul 31, 2022

Yeah, those are all fair points I agree with. But in my mind the wiki paragraph about TC doesn't reflect that properly and makes an incomplete comparison that could easily get misinterpreted if read in isolation.

The threat model here excludes first party tracking as if you log into sites, they already know who you are. In-session sanitizing won't really do anything without changing your IP on other sites.

Obviously I have no hard data to support my perspective here, but I assume that regular ad trackers do rely on storage primarily, as IPs are way too broad nowadays with all the shared ipv4 on mobile and DSL networks going on due to address room shortage. So in-session separation would give you additional protection in this case.

Also without Tor, just clearing all data on browser shutdown is not enough either, you would need to make sure that you get a new IP from your ISP as well. Tho, the TC paragraph does mention that already, yeah.

@stoically
Copy link
Author

you would need to make sure that you get a new IP from your ISP as well.

Might be an idea for a little add-on actually, that blocks browsing if you still have the same ip when the browser starts. 🤔

@Thorin-Oakenpants
Copy link
Contributor

Thorin-Oakenpants commented Jul 31, 2022

stoically

however, with TCP and FPI you get long-term storage

that's what sanitizing on shutdown is for. There's also "forget about this site" (right click a history item), "manage data" (selectively), ctrl-shift-del (except it doesn't respect cookie/site-data exceptions yet), and "clear data" (the lot). I get that it's manual rather than done automagically

stoically

you would need to make sure that you get a new IP from your ISP as well

I have already stated IP is an issue. TC doesn't solve that. Neither does sanitizing. That's what VPNs are for. Or as we state in numerous places .. use tor browser if it suits


The point is that partitioning is MOOT, so the only benefits from TC

  • partitioning multiple accounts? you can already do this with say MAC or just built in containers
  • sanitizing in session (and the containers/contextID clearing API is the only one that works AFAIK)
  • that's it

Sanitizing in session IS a false sense of privacy. It's the definition of insanity - doing the same thing over and over again. Is it a bad thing? Not really. Could it help? Sure, bound to somewhere - but not everywhere - it's a FALSE sense of privacy

  • "look guys, I deleted the cookies (or all site data) now I am anonymous again, haha, the fools, i am so awesome"
  • ^ typical user

I am not really interested in propagating this. I've said TC was redundant with FPI years ago. It's still redundant with dFPI.

remyabel2

The threat model here excludes first party tracking

That's actually not such a bad description, but not entirely accurate. For example we don't want (edit) any linkability - e.g. referrals, params, ids. And we obviously sanitize on close (which still does not address the IP problem), but it is built-in and does not require an extension.

Are there edge cases for users to use TC? Sure. If you want to use it, that's on you. But it still doesn't solve the IP problem.

Imagine if I listed it in the maybe section, then I have to add a bunch of info that people don;t read, and then don't understand. This is about the fifth issue someone has said my words are incorrect. They are not.

  1. TC's partitioning is moot with dFPI (I just edited the wiki to make that more clear)
  2. TC's sanitizing in session is a false sense of privacy, cuz IPs
  3. not said: sanitizing on close is also a false sense of privacy, cuz IPs
    • but at least we're sanitizing once in a while
  4. not said: it is assumed that we are looking at worse case scenarios, and we want proper full solutions, and I don't have hard data, and IDK who would, how IPs are used to link traffic - but I would say that some platforms are pretty robust, logging everything and they would absolutely have some (benign 1st party?) FPing to assist

Anyway, I find the whole IP issue to be out of scope - we recommend Tor Browser, and there are hundreds or articles/sources for VPN info

If you want to use Firefox to protect against repeat 1st party, outside of a user.js, then go ahead and use a VPN and change it all the time and sanitize on eTLD+1 + scheme close, and don't forget to keep track of when to change your IP to be sure you aren't linked. Sounds way overkill and not something I care to constantly discuss. That's why we recommend Tor Browser

@stoically
Copy link
Author

stoically commented Jul 31, 2022

I'm not challenging any of the points made, I'm actually agreeing. I'd just appreciate if the arkenfox wiki paragraph about TC would mention that TC gives you proper storage cleaning, something TCP/FPI does not give you - and that, in this sense, TC is not redundant. Since, if you read that paragraph without having the bigger picture, it might give the impression of it being the same thing.

Whether new storage but still same IP is something to be concerned about is the question of the personal threat model. Clean storage and new IP gives you more privacy, that's for sure.

@Thorin-Oakenpants
Copy link
Contributor

TC gives you proper storage cleaning, something TCP/FPI does not give you

sanitizing on shutdown gives you "proper storage cleaning"

TC is grouped in with "cookie cleaners" as a single entry but has two parts. The first part said "redundant" re 3rd parties are already isolated re dFPI. The second part doesn't say anything about redundancy and is about sanitizing. I mentioned I edited the wiki. I actually removed the word "redundant" in the first bullet point

Nowhere does it say dFPI sanitizes

@Thorin-Oakenpants
Copy link
Contributor

damn, I guess I didn't save the wiki edit - weird

@stoically
Copy link
Author

stoically commented Aug 1, 2022

Thanks for the edit, that solves the issue from my perspective, but of course feel free to reopen if you see the need for it.

@stoically
Copy link
Author

Maybe a tiny suggestion: Calling the section "Don't bother" feels a tiny bit rude. Maybe it could be worded a bit more friendly. 💚

@stoically
Copy link
Author

stoically commented Aug 1, 2022

Random thought regarding alternative naming: Maybe the sections could be ordered and named by their type of threat model / amount of convenience?

@GlassGruber
Copy link

Maybe a tiny suggestion: Calling the section "Don't bother" feels a tiny bit rude. Maybe it could be worded a bit more friendly. 💚

Maybe "Redundant"? BTW I love TC 🎩

@Thorin-Oakenpants
Copy link
Contributor

re-opening, because changes are coming

@Thorin-Oakenpants
Copy link
Contributor

I am not against using containers, or MAC. I'm not even against TC. Containers provide additional uses (such as multiple logins) and fallbacks/safeguards (see #1448). I'm still going to stick to my guns and say that sanitizing in session is not a valid solution on it's own (but it is if it's to reset a login for example - e.g. same as "Forget about this site" - so e.g. bypass paywall limit, fuck yeah, enjoy the popup cookie banner each time though)

Anyway, lumping TC in with don't bothers is a bit harsh. Yes the partitioning is redundant (we're already partitioned, baring bugs), yes sanitizing in session is a false sense of privacy. But contextIDs (or is it contentIDs) are a great secondary isolation feature

Also MAC + VPN support: someone correct me if I'm wrong, but I'm guessing here that the VPN only kicks in on containers you specify, and in future if not already, you can specify what VPN (or exit) to use per container? Anyway, more reasons to highlight container extensions as maybes

Anyway, @stoically .. rejoice

@Jee-Hex
Copy link

Jee-Hex commented Aug 24, 2022

enjoy the popup cookie banner each time though)

You're almost never going to see cookie prompts when subscribed to one or two Annoyances filters.

But contextIDs (or is it contentIDs) are a great secondary isolation feature

FWIW it's userContextId

and in future if not already, you can specify what VPN (or exit) to use per container?

I think this was already possible since 8.0.2, but

but I'm guessing here that the VPN only kicks in on containers you specify,

is going to cause DNS leaks if you are not behind a full tunnel (e.g. pac) and forgot to manually turn off uBO's CNAME uncloaking option (also discussed on this repo).

But personally it would be nice to have random SOCKS5 proxies per temporary container when it happens.

@Thorin-Oakenpants
Copy link
Contributor

thanks. yup, there's lots of potential with containers as a simple means to group sets of domains

@stoically
Copy link
Author

stoically commented Aug 27, 2022

@Thorin-Oakenpants Thanks for taking another look!

Regarding the "sanitizing in session" perspective: For me personally that's not why I'm using TC, nor is it something I consider particularly valuable in my day to day browsing. Instead, my threat model allows me to lean more towards the convenience side, which means that I don't delete all data when my browser shuts down. Without TC that would leave me with permanent storage in the long run – and that's what TCs solve for me: They make sure that I don't end up with long-term storage for random browsing, in addition to also isolating sites from each other properly. If I want long-term storage, I use permanent containers for that. Obviously that's not as reliable or privacy-focused as deleting all data when the session ends, but it's way more reliable and privacy-focused than traditional cookie cleaners. Hope that makes sense – otherwise please let me know!

@Jee-Hex

But personally it would be nice to have random SOCKS5 proxies per temporary container when it happens.

Something I started working on, but never finished and probably never will: "Random IPv6 per TC"

It was a fun experiment tho :D

@Kraxys
Copy link

Kraxys commented Aug 29, 2022

I find this discussion very interesting!

But the question could be considered from the other end: If you have some temporary/ephemeral container extension enabled, what more bring TCP and dfpi to you exactly (under the hypothesis that the extension in use is properly functioning of course).

Moreover, concerning this thread's topic I read here that @ThorinOakenpants wrote:

Sanitizing in-session is a false sense of privacy. They do nothing for IP tracking. Even Tor Browser does not sanitize in-session e.g. when you request a new circuit. A new ID requires both full sanitizing and a new IP. The same applies to Firefox.

The "same ip" question seems to the basis of the argument.

So, what about using a mechanism assigning different proxies to different containers (btw such extensions appear to exist on AMO, with few users and not updated since quite a long time for sure, but we have a principle discussion here, so let's suppose they are functioning without any bug/leak)?

Edit: Some example of extensions of the "container per proxy" type (just found 3, I didn't test any of them):
Container proxy, Container Socks Proxy helper, Simple Container Proxy.

Alternatively, it's probably possible to get half theses features in using a temporary/ephemeral containers extension in conjunction of a proxy PAC.

@remyabel2
Copy link

So, what about using a mechanism assigning different proxies to different containers (btw such extensions appear to exist on AMO, with few users and not updated since quite a long time, but we have a principle discussion here, so let's suppose they are functioning without any bug/leak)?

It's still inferior to Tor browser. VPNs and proxies offer dubious privacy. You are moving the traffic from your ISP to a VPN, who you have to trust not to log and to trust will not be able to provide your data to third parties (i.e, via subpoena). Even masking your IP, you are still very fingerprintable and even Arkenfox admits this. Using Tor, your fingerprint in theory should be identical to every other Tor user.

Further, Tor uses relays in order to separate the IP from the data. One relay knows who you are, the other relay does not but knows your data, so long as the two cannot be put together, you are in theory browsing anonymously. This of course is defeated if you do not change your browsing habits or if they are able to put 2 + 2 together with a correlation attack, but it is much more difficult to pull off with Tor, and trivial to do with another browser even with anti-fingerprinting measures.

So in other words, if your threat model requires anonymity, Tor is still the best solution. For all other cases, trying to emulate Tor is a false sense of security.

@Kraxys
Copy link

Kraxys commented Aug 29, 2022

So, what about using a mechanism assigning different proxies to different containers (btw such extensions appear to exist on AMO, with few users and not updated since quite a long time, but we have a principle discussion here, so let's suppose they are functioning without any bug/leak)?

It's still inferior to Tor browser. VPNs and proxies offer dubious privacy. You are moving the traffic from your ISP to a VPN, who you have to trust not to log and to trust will not be able to provide your data to third parties (i.e, via subpoena). Even masking your IP, you are still very fingerprintable and even Arkenfox admits this. Using Tor, your fingerprint in theory should be identical to every other Tor user.

Further, Tor uses relays in order to separate the IP from the data. One relay knows who you are, the other relay does not but knows your data, so long as the two cannot be put together, you are in theory browsing anonymously. This of course is defeated if you do not change your browsing habits or if they are able to put 2 + 2 together with a correlation attack, but it is much more difficult to pull off with Tor, and trivial to do with another browser even with anti-fingerprinting measures.

So in other words, if your threat model requires anonymity, Tor is still the best solution. For all other cases, trying to emulate Tor is a false sense of security.

Tor is plausibly better but the topic of this thread is not x or y vs Tor but TCP & dFPI vs ephemeral/temporary containers.

No matter what, it is not entirely clear that Tor is extremely superior to the usage of rotating nested independant reputable vpns because:

  1. technically, less risk of ip/dns leaks (each vpn proxifies the whole network activity, not just the web one)
  2. the probability of a server being evil is lesser when it belongs to a reputable vpn provider than when it belong to the Tor network (particularly concerning the servers acting as exit nodes).

@remyabel2
Copy link

Tor is plausibly better but the topic of this thread is not x or y vs Tor but TCP & dFPI vs ephemeral/temporary containers.

That part was already discussed earlier. I brought up Tor to illustrate that what you're looking for probably does not offer the privacy advantages you want.

technically, less risk of ip/dns leaks (each vpn proxifies the whole network activity, not just the web one)

And how exactly does Tor leak DNS? If you use Tor with VPNs, this is possible, but should not happen on a regular setup.

the probability of a server being evil is lesser when it belongs to a reputable vpn provider than when it belong to the Tor network (particularly concerning the servers acting as exit nodes).

Based on what metric? There's been plenty of documented incidents of VPNs either being malicious or incompetent. Regardless, Tor's model is trustless in the sense that you don't NEED to trust the relays because of how it routes traffic. With VPN, you do need to trust the provider. Even with a malicious exit node, if you only visit HTTPS sites, it's not really an issue.

@rusty-snake
Copy link
Contributor

what more bring TCP and dfpi to you

  • dFPI nothing much.
  • TCP is more that strict cookie isolation (or whatever the current marketing name for it is). It has tracking-protection, query stripping, referer protection, ...

@Thorin-Oakenpants
Copy link
Contributor

Thorin-Oakenpants commented Aug 29, 2022

I can't find it now, but there was a thread on HN just the other day where someone (and there were other examples) blocked certain companies, ended up with a completely broken internet and devices would hang (or something)

long story short, there are six or seven companies that control such vast swathes of the backbone and services, that it's become impossible - think akaimai, cloudflare, aws, azure, alphabet, etc. And IANAE or inside trader but I bet they all log IPs (and probably monetize it) - once someone else has your information (like an IP address), then you have lost control of that info - you do not know nor have any bearing on how that info is shared or sold

The solution can only be: Tor, VPNs.

Side note: this is why LocalCDN is marked as don't bother (which really seems to upset some redditors). If you protect your IP, then it's not needed. If you don't protect your IP, then it's pointless - you are a billion times better off using alternative services than pissing around with a minuscule few libraries

@Jee-Hex
Copy link

Jee-Hex commented Aug 29, 2022

I can't find it now, but there was a thread on HN just the other day where someone (and there were other examples) blocked certain companies, ended up with a completely broken internet and devices would hang (or something)

https://news.ycombinator.com/item?id=32618018 ?

@Thorin-Oakenpants
Copy link
Contributor

that;s the one: https://news.ycombinator.com/item?id=32618018

@stoically
Copy link
Author

stoically commented Aug 30, 2022

My thoughts on the IP discussion from the targeted ads perspective:

  • Something that became publicly known with regards to abusing IPs for ad purposes, was the fact that Facebook used them to determine the location of users and showing ads based on that: https://9to5mac.com/2018/12/18/facebook-location-privacy-ads-settings/. That kind of technique makes sense for them, given they – and other companies – sell ads, and the more targeted they can deliver the ad, the better they can sell their product.
  • Given that selling ads as targeted as possible is one of their key features, it also means that they have an interest in data sets that are as precise as possible. Mixing IPs into those ad-relevant data sets that not clearly belong to logged in users – based on storage – would introduce fuzzyness into the data sets, since without being logged in it's almost impossible for regular services on the web to assign the user to their respective data set.
  • People and companies using the marketing tools from companies such as Facebook never think in terms of IPs, nor do they have the ability to configure their campaigns based on them. Instead, it's always about target groups and locations.
  • So, basically: Using IPs for location-purposes and logged in users makes sense, trying to identify an user by using them, not so much.

Thought from the security perspective:

  • IPs are logged from services for the purpose of security and accountability. Basically: "How can I get the address of an user to sue them if they abuse my service?"

However, that leaves the question: Why does Tor exist? Why would one want to mask their IP?

  • Tor was invented as tool to protect state-level actors and especially their international communication. Hence why it made sense to make it a public project, so they can get as much traffic as possible to mask them. Those communications likely still happen over the network. You really don't want to leak your IP – and with that your location – to state-level actors, which obviously do have the means to query ISP databases one way or the other to get your precise location.
  • Tor is especially useful in countries where surfing on or trying to reach the wrong websites could get you actually into jail. In those situations leaking your IP to state-level actors, like the great firewall of china, makes you directly identifiable.
  • Tor hidden services are unique in what they make possible. Hosting sites while keeping the hosting party anonymous. Markets and similar sites still are popular targets when using Tor.
  • Since Tor masks your IP, it also prevents that ad companies can serve you ads based on your actual location. It doesn't stop them from showing you ads for the IP you appear to be coming from.
  • In the case services actually try to use the IP to correlate it with you specifically, be it for ads or other purposes, that would be prevented.
  • And Tor lets you circumvent IP-based security measures from services you want to use – if they not already block all exit nodes.

Just my perspective and no claim that it's complete by any means. If you spot an error or something important that's missing, let me know!

Note: This comment only concerns itself with the IP-perspective. Browser fingerprinting is a different story, even though related to some extent.

@remyabel2
Copy link

remyabel2 commented Aug 30, 2022 via email

@Thorin-Oakenpants
Copy link
Contributor

IP-perspective. Browser fingerprinting is a different story, even though related to some extent.

IP is just another fuzzy data point in FPing. e.g. is it a known tor exit node, is it a VPN, what VPN group, what ISP hub? It can used or discarded at will to help link footprints

@stoically
Copy link
Author

@remyabel2

You can use multi account containers to separate accounts, but trying to use Facebook “anonymously” is going to be nearly impossible with the amount of measures they take to identify users.

I'd be interested in details, like what kind of ads and what kind of perceived identification. My assumption would be that, given an unique enough browser fingerprint, they might even correlate you to an actual user or shadow account. If not unique enough, or just IP, I'd assume the general connection to a target group in combination with the IP location. My comment was solely about IPs.

That doesn’t mean you should only use tor for that purpose.

Absolutely. I tried to cover that with my point about "If they try identification via IP, it will get harder with Tor". But you might've missed that, given I edited and you replied by E-Mail.

Regardless, this isn’t about Tor versus VPNs versus Temporary Containers, more that different tools are useful for different threat models.

Also agreed. Just wanted to give my perspective on the IP discussion. As for which tools to use and when totally depends on the threat model and desired amount of convenience.

@Thorin-Oakenpants

IP is just another fuzzy data point in FPing. e.g. is it a known tor exit node, is it a VPN, what VPN group, what ISP hub? It can used or discarded at will to help link footprints

Yep. I just wanted to highlight my focus on IP here. I'd assume that if browser fingerprints are perceived as unique enough, they might even be used to correlate with actual user accounts, not only target groups / locations.

@remyabel2
Copy link

I'd be interested in details, like what kind of ads and what kind of perceived identification. My assumption would be that, given an unique enough browser fingerprint, they might even correlate you to an actual user or shadow account. If not unique enough, or just IP, I'd assume the general connection to a target group in combination with the IP location. My comment was solely about IPs.

Not sure what you mean by unique enough browser fingerprint. It does not take that many data points to uniquely identify someone. But when you combine browsers, OS, monitor size, addons installed, etc. you start reaching hundreds of data points. IP by itself is not that useful because users behind NAT or with DHCP can have a new IP assigned regularly. Even if you change your IP regularly, data brokers are quite good at linking profiles together.

Absolutely. I tried to cover that with my point about "If they try identification via IP, it will get harder with Tor". But you might've missed that, given I edited and you replied by E-Mail.

Tor makes it look like you're browsing from a different IP and uses anti-fingerprinting. The two are required in tandem. I believe I mentioned earlier how relay A knows your IP and relay C knows your data, so long as the two cannot be tied together, the user shouldn't be identified (ignoring the usual exceptions like zero days, lack of TLS, sloppy browsing habits).

Yep. I just wanted to highlight my focus on IP here. I'd assume that if browser fingerprints are perceived as unique enough, they might even be used to correlate with actual user accounts, not only target groups / locations.

At this point I think the discussion is starting to tread into anonymity vs privacy territory. Say for the sake of example I have an online identity that is separate from my federated (government) identity. If I do all of my online browsing under that identity, even if people do not tie it to me, for all intents and purposes I am that person. So if a data broker only knows me by John Smith, all of my data can still be linked together to give me targeted advertising even if I attempt to be anonymous. If on the other hand, your goal is to decouple your federated identity from browsing habits, then again Tor is the way to go. There are way too many avenues in which someone can be identified (VPN subpoena, breaches, leaks, username/browsing history correlation, etc.) that makes any solution compared to Tor inadequate.

@stoically
Copy link
Author

IP by itself is not that useful because users behind NAT or with DHCP can have a new IP assigned regularly. Even if you change your IP regularly, data brokers are quite good at linking profiles together.

That's the only point I'm challenging. Given the shortage of IPv4 and all the sharing going on, I don't think it gets used for linking to specific accounts.

Regarding everything else we're on the same page.

@Thorin-Oakenpants
Copy link
Contributor

for your amusement: https://news.ycombinator.com/item?id=32661061

@Kraxys
Copy link

Kraxys commented Sep 2, 2022

technically, less risk of ip/dns leaks (each vpn proxifies the whole network activity, not just the web one)

And how exactly does Tor leak DNS? If you use Tor with VPNs, this is possible, but should not happen on a regular setup.

I'm not able to detail you precisely how. But in the past, Fash and Java were able to deanonymize a Tor user (because Flash and Java could bypass Tor, who handles only TCP web connections). Flash and Java never were able to deanonymize an openvpn user. You may think Flash and Java are the past. But still, I recently found a website able to detect installed apps on the device and using the detected apps list as a fingerprint. So, a wab page is in some way able to detects apps on the device where the browser is running, and so, (why not) could be able to trigger some of them to start a network connection bypassing the Tor Browser and revealing the true non Tor IP of the Tor Browser user.

the probability of a server being evil is lesser when it belongs to a reputable vpn provider than when it belong to the Tor network (particularly concerning the servers acting as exit nodes).

Based on what metric?

Ah! The "metric" question! So If you were claiming that Tor is more anonymous than the simple usage of a socks5 proxy found somewhere on the web, I could argue "but based on what metric?", and it would be a valuable argument as there isn't yet any universally accepted metric for measuring anonymity?

But whatever... When I wrote that "the probability of a server being evil is lesser when it belongs to a reputable vpn provider than when it belong to the Tor network (particularly concerning the servers acting as exit nodes)." it was based on Occam's razor metric. When a vpn provider has over the years gained good reputation, it is not in his interest to do anything that would destroy this reputation in an instant.

On the other hand, a Tor exit node operator has no reputation to uphold.

I don't think this means it is incentive for the average Joe running a Tor exit node to become rogue. But this is incentive for already rogue guys to run tor exit nodes

There's been plenty of documented incidents of VPNs either being malicious or incompetent.

I was explicitely speaking in my previous post about "reputable vpn providers". Maybe I should have precised "competent and reputable vpn providers".

And concerning those, there are several documented incidents when some of their servers have been seized, without revealing anything.

Regardless, Tor's model is trustless in the sense that you don't NEED to trust the relays because of how it routes traffic. With VPN, you do need to trust the provider. Even with a malicious exit node, if you only visit HTTPS sites, it's not really an issue.

By now, most of the clearnet sites are https, but not all. And most .onion site aren't (although due to onion routing, this is far less a problem than on the clearnet). And remember that Wikileaks started out by running Tor exit nodes and sniffing traffic for documents and emails..

Edit: I corrected a missprint and replaced the sentence "And concerning those, there are several documented incidents when some of their servers have been seized, without revealing anything" where it was intended to be.

@fxbrit
Copy link
Collaborator

fxbrit commented Sep 2, 2022

But in the past, Fash and Java were able to deanonymize a Tor user

I think you're talking about 3 letter agencies unmasking users with Flash, which is decades old and which also hasn't been an issue in ages. not to mention tor browser blocks plugins and Flash is no longer in the codebase of firefox based browsers.

also the PoC that could identify installed apps was never fully functional or close to stable right? I remember it gained traction but then it died down quickly, I can't remember the name. someone correct me if I'm wrong.

and so, (why not) could be able to trigger some of them to start a network connection bypassing the Tor Browser and revealing the true non Tor IP of the Tor Browser user.

you are describing an attack where a certain website forces the tor browser to open a not better specified app, in order to force it to make a connection to a not better specified endpoint that the attacker should also control to some extent (and at what point of the network would it be and how would it correlate the traffic), in order to log an IP. this doesn't seem real or reasonable, it's best to set the record straight.

I could argue "but based on what metric?"

just by design, the way Tor works. which also easily answers the rest of the points, eg. why you'd rather trust Tor vs a VPN provider or why most onions services are not HTTPS.

@fxbrit
Copy link
Collaborator

fxbrit commented Sep 2, 2022

there are six or seven companies that control such vast swathes of the backbone and services

https://www.submarinecablemap.com/

I'm going slightly OT but I love this map. click on the cables connecting the US to Europe through the Atlantic Ocean, and to Asia through the Pacific Ocean: these companies you mention own a good number of these submarine cables, they are also telcos at this point.

@Kraxys
Copy link

Kraxys commented Sep 3, 2022

I could argue "but based on what metric?"

just by design,

The same design that allowed so much TorHiddenServices to be closed by the police, and their operators, identified and arrested?

the way Tor works. which also easily answers the rest of the points, eg. why you'd rather trust Tor vs a VPN provider or why most onions services are not HTTPS.

 https://matt.traudt.xyz/posts/2019-10-17-you-want-tor-browser-not-a-vpn/#vpn-vs-a-government

Ok, so, tell that to the famous bomb hoaxing Harvard student... The police has been able to identify him because he has used Harvard's free Wifi and was the sole user of Harvard's network using Tor at the precise moment where the threat has been made.
If he had connected to Tor not directly from his university wifi, but on top of a Vpn, his identification would have been much much more difficult, if even possible.

Tor over Vpn is better than Tor alone, at least for those who try to not be identifie. I think it's not so hard to understand.

@remyabel2
Copy link

Tor over Vpn is better than Tor at least for those who try to not be identified. I think it's not so hard to understand.

Using a VPN with Tor is complicated and not recommended in most cases.

but on top of a Vpn, his identification would have been much much more difficult, if even possible.

In terms of identification, a VPN is not any better than public wifi. Both can be logged, both have audit trails.

was the sole user of Harvard's network using Tor at the precise moment where the threat has been made.

That is circumstantial evidence, but not enough to persecute. If the police use a geofence warrant to find a list of suspects in an area where a crime is committed, that doesn't mean any of them actually committed the crime. His poor OPSEC, not Tor alone, led to enough evidence.

The same design that allowed so much TorHiddenServices to be closed by the police, and their operators, identified and arrested?

Sure, and there's been many cases where someone using a VPN was identified by the FBI either due sharing the logs or poor OPSEC. There's a difference between exploiting an inherent flaw in Tor's security model and old-fashioned police work.

@Thorin-Oakenpants
Copy link
Contributor

stop the VPN vs Tor discussion - this is about TC and a decision has already been made (to change it in the wiki)

@Thorin-Oakenpants
Copy link
Contributor

@stoically - DONE: https://github.com/arkenfox/user.js/wiki/4.1-Extensions#-optional - any nits?

@GlassGruber
Copy link

While TC provides sanitizing, and uses a dFPI-compatible API, this is not why it is recommended as optional, see Cookie extensions in the DON'T BOTHER section below

In the DON'T BOTHER section I think is clear what TC is not going to provide, but can't see why it is recommended.

I think something more explicit should be mentioned in the OPTIONAL section, maybe explaining better the disposable nature of the containers and some use cases?

@Thorin-Oakenpants
Copy link
Contributor

TC ... but can't see why it is recommended

look harder - the very first point. I'm not going to regurgitate use cases. It can't hurt and there are other edge use cases, e.g. if you use a VPN and hop, or to repeatedly bypass paywalls in session, whatever - but I'm not going to hold hands and write everything up

@GlassGruber
Copy link

Mmm I guess it's me but I find this part confusing: "this is not why it is recommended as optional".

I think it's confusing because, by the way I read it, it's like the "why it is recommended" part is missing in the sentence.
But I think your point about detailing all possible cases is correct.

If I'm not overlooking or misunderstanding badly something, maybe that very part can be replaced by just saying that users should pay attention to what is mentioned in the DON'T BOTHER section.

What about something like:

While TC provides sanitizing, and uses a dFPI-compatible API, keep in mind that is not a full privacy solution, see Cookie extensions in the DON'T BOTHER section below

@Thorin-Oakenpants
Copy link
Contributor

what's so confusing .. sanitizing ... is not why it is recommended

@GlassGruber
Copy link

GlassGruber commented Oct 14, 2022

Lol I'm very sorry but I can't get it! 🙃

sanitizing ... is not why it is recommended

Why is it then?

Still, I get that other addons like for ex. Request Control, Redirector or Smart Referer are listed without explanations, so yea I guess is up to the user to understand why when not explained in the wiki?

@Thorin-Oakenpants
Copy link
Contributor

Why is it then?

we've been through this ... try harder - the first point for starters

@GlassGruber
Copy link

GlassGruber commented Oct 14, 2022

we've been through this ... try harder - the first point for starters

Oh boy 😆
Is this the first point?

❗️Sanitizing in-session is a false sense of privacy. They do nothing for IP tracking. Even Tor Browser does not sanitize in-session e.g. when you request a new circuit. A new ID requires both full sanitizing and a new IP. The same applies to Firefox

If it is, then that looks to me like a cautionary note not a recommendation!

I mean, I know why it is recommended (hopefully! 👀): because of the disposable nature and on-demand tab "shallow"(?) sanitization.
Then you note that sanitizing is not the reason to recommend (and I agree!) because of the false sense of privacy as stated in the don't bother section.

MAC benefits are super clear, why is TC recommended as an optional addon?

Please tell this poor droid how to logic 🤖

@Thorin-Oakenpants
Copy link
Contributor

Is this the first point?

No, that's linked to as a reason to NOT use it

POINTS/REASONS for leveraging containers

goodness gracious. Does anyone else have a hard time understanding this?

@Thorin-Oakenpants
Copy link
Contributor

The first point, even if that bug didn't exist: e.g. you disable ETP for a site to make it work properly, you're still isolated

@GlassGruber
Copy link

Those points are crystal clear to this unit! 🤖 💡 (forced decomissioning is authorized if the statement result false).

Are you mentioning TC mainly because of the containers and not really for the temporary nature? So basically as an alternative to MAC? (isn't MAC required for TC to work?)

As an aside, I can't really see a benefit using TC instead of a normal container regarding the bugzilla ticket.
Does TC honor the exception cookie rule and not clear cookies when trashing the container?
IIRC there are settings in TC to store cookies but is kinda advanced I think?

Just to recap, when a cookies-exception rule for a site FOO is set, then visiting site FOO inside a container FOO cookies are:

  • accessible by any site trying to paw FOO cookies when inside the container
  • isolated from sites outside the container trying to paw FOO cookies
    • BUT if visiting FOO outside the container the cookies will be snatched by other sites outside the container and not by those inside the container (basically a XOR?)
  • in the case of a temporary container all cookies will be cleared when the container is deleted. Teh cookie consent banner strikes back!

I don't remember is TC auto container when navigating other domains on by default?

@Thorin-Oakenpants
Copy link
Contributor

Thorin-Oakenpants commented Oct 14, 2022

Are you mentioning TC mainly because of the containers and not really for the temporary nature?

I just said the sanitizing part is NOT the reason, and I want to make that painfully clear because it's a false sense of privacy. So what do you think is left? I didn't say to not sanitize with TC, I just said it's not the reason people should be using it

I can't really see a benefit using TC

TC is there (optional) because it shouldn't be in don't bother (that doesn't make the points about dFPI already existing and sanitizing in session being a false sense of privacy, moot, bugs aside) - which is what this whole issue was about.

TC needs to be listed because if it wasn't people would badger me, and besides, it's good to point out the sanitizing false sense of privacy and to show that cookie extensions lack dFPI compliant APIs, but TC doesn't

If you can't see any benefits, then read this issue. As I said, I never listed it in don't bother for useful edge cases, but because dFPI already existed and sanitizing in session is a false sense of privacy.

and the rest

IDFCare. If you want to use TC go for it, otherwise, who cares. Take all your configs and edge cases and examples and burn them.

And YES, it adds an extra layer of isolation and protects from that bugzilla, regards of the config, because the origin attribute is still keyed by contextID - and TC can clean up after itself if you want, so fuck the exceptions for sanitizing on close. And if it's a permanent container, then you can configure it to not clean up after itself, or to do so. I do not use TC, and IDNotFCare.

Take all your questions about TC to the TC repo. Not my fucking problem

I considered the points raised by stoically, and no one denied me my points. But because there are edge cases, and because of that bugzilla, I agreed that we should move it. My job is done. End. Of. Story.

@Thorin-Oakenpants
Copy link
Contributor

sorry for the tone, but seriously, I've had enough .. locking

@arkenfox arkenfox locked as resolved and limited conversation to collaborators Oct 14, 2022
@arkenfox arkenfox unlocked this conversation Oct 14, 2022
@GlassGruber
Copy link

I'm very sorry!
Really no worries, the whole thing is not relevant at all, can't believe it actually started as a nit!
It's all love and thank you for your time trying to sort this out. 💟

@stoically
Copy link
Author

@stoically - DONE: https://github.com/arkenfox/user.js/wiki/4.1-Extensions#-optional - any nits?

Looks good, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

No branches or pull requests

8 participants