
Mozilla Project Fusion: Tor Integration into Firefox - jerheinze
https://trac.torproject.org/projects/tor/wiki/org/meetings/2018Rome/Notes/FusionProject
======
tomrittervg
Hi all. I am a Tor Project Developer and work at Mozilla on this project. We
appreciate everyone's enthusiasm and feedback. Our ultimate goal is a long way
away because of the amount of work to do and the necessity to match the safety
of Tor Browser in Firefox when providing a Tor mode. There's no guarantee this
will happen, but I hope it will and we will keep working towards it.

If anyone is interested in assisting development-wise, Firefox bugs tagged
'fingerprinting' in the whiteboard are a good place to start. You can also run
Tor relays and help us improve the health of the network by working with Tor's
new Relay Advocate ([https://blog.torproject.org/get-help-running-your-relay-
our-...](https://blog.torproject.org/get-help-running-your-relay-our-new-
advocate)). More people being involved in spec work (especially at the W3C)
and focusing on fingerprinting and privacy concerns is also very useful - it's
very hard to keep eyes on all the things happening everywhere.

We also appreciate users of Firefox Beta and Nightly (Nightly especially). The
flags Tor features are developed behind (privacy.resistFingerprinting and
privacy.firstparty.isolate) are experimental. I appreciate bug reports from
users running these flags but you should expect them to break things on the
web (resistFingerprinting especially; first party isolate is generally more
stable and usually only has breakage on particular login forms).

~~~
xoa
> _You can also run Tor relays and help us improve the health of the network
> by working with Tor 's new Relay Advocate_

Since I've seen this come up before in many previous discussions of Tor I
think it's worth emphasizing/clarifying up front: Tor relays are _not_ the
same as Tor exit nodes. Relays do not talk to the public internet, they serve
only the full encrypted internal Tor virtual network. So they won't ever send
out traffic from an IP under your control to some website or general Internet
system (and in turn tie that IP in any way to spam/abuse/whatever, at least
not for that reason). It's not necessarily hidden that it is acting as a
relay, but the relay itself will have no knowledge of the traffic it's
carrying.

Plenty of people have reasonable concerns about the risks/inconveniences that
might come with acting as an exit node, but on both a legal and practical
level there are many more jurisdictions where merely relaying encrypted
traffic between other relays isn't a problem. And it's still quite helpful,
both for network speed and because purely internal Tor Hidden Services do not
need any exit nodes at all.

~~~
pricechild
That said, plenty of providers use the list of tor relays (which is also
public) to block traffic.

Sites such as [https://www.dan.me.uk/dnsbl](https://www.dan.me.uk/dnsbl) then
help people do this.

That site in particular may "warn":

> This DNS blacklist contains ALL tor nodes (entry, transit and exit nodes) -
> think carefully before choosing to use this list for blocking purposes.

but anyone who doesn't understand tor simply won't understand the decision and
choose ALL.

Running a relay on your own address isn't sensible because of this. Nevermind
an exit node.

~~~
jandrese
As someone who has run a relay on my home network for years now this has never
come up. At least not that I've been able to discern.

I think it might be a problem if I also ran a mail server from home, but
almost nobody does that anymore.

~~~
lucb1e
I do, and I've run a Tor relay at home as well (also exit for a while).

------
ogennadi
> Ultimate eventual goal: Make Tor Browser obsolete, so Tor Project can focus
> on research instead of maintaining a fork of Firefox.

~~~
sametmax
Good, now if only we could have bitorrent baked in...

EDIT: I mean baked in in the browser like tor, not baked in tor. Although
interesting, it's really not my priority.

~~~
kleiba
Honest question: is bittorrent even still a thing?

~~~
sametmax
Last month I download 2 linux ISO with it for work. This month all the seasons
of the pretender for fun.

Facebook used to deploy their code using bittorent. I doubt it has changed.

A lot of blizzard video games update using bittorent as well. If you play
Starcraft 2, you use bittorent.

Streaming services like stremio are basically bittorent. After netflix, it's
my main source of video content.

If you want to download the internet archive, that's the saner option. Same if
you are a pentester, as a lot of heavy leak or hash db are so huge only
bittorent makes it practical. Too expensive to host for one small actor. It's
also more resistant to take down notice.

We talked a lot about RSS lately, and how to revive it, while in comments
people said it actually never died. Bittorrent is a lot like that. Great tech,
great standard, it works flawlessly and fill its use case perfectly.

The only reason it's not more adopted is because it's not in the browser by
default. Otherwise the hosting benefit and the dl speed is such that it would
be an instant hit.

~~~
scrollaway
Blizzard games no longer use BitTorrent but a proprietary http-based protocol
called ngdp. BitTorrent was causing a lot of issues with firewalls so users
were disabling it, so they had added http mirrors to them... And then CDNs
became a thing, the rest is history.

I'll be happy to give more details on ngdp if you are curious.

~~~
sametmax
Please.

~~~
scrollaway
Here, I pulled my docs for ya:

[https://gist.github.com/jleclanche/91f2f5c0f2042a81db1c61464...](https://gist.github.com/jleclanche/91f2f5c0f2042a81db1c61464ae6d459)

They basically created their own git protocol + virtual filesystem, optimized
for asset patches inside large compressed binary files. I wish they'd open
source it.

~~~
exikyut
That was interesting to poke through.

Related discussion:
[https://news.ycombinator.com/item?id=13140257](https://news.ycombinator.com/item?id=13140257)

------
forapurpose
What will Mozilla do about the Tor network's usability problems? Advanced
users can workaround them and because they understand the benefits and
engineering, accept the frustrations as a cost for a worthwhile (and free)
technology. But what will non-technical users do?

Many public Internet websites filter connections from the Tor network, many
other websites are very slow, yet others impose extra obstacles such as
multiple rounds of captchas (even 5 or more) or degraded service (including
high suspicion of payments), and of course you often will receive webpages in
the wrong locale or language - which can trigger regional filters. Currently,
workarounds requires resetting the circuit (few non-technical users will even
understand what the circuit is), lots of patience and reloads, and often just
giving up. [EDIT: And non-technical users won't understand what is happening
and therefore won't know when to use which workaround.]

If that's the experience of typical Firefox users, they won't use it and they
will have bad associations with Tor and Firefox.

~~~
Hello71
Which sites in 2018 still present multiple CAPTCHAs to users with cookies and
JavaScript enabled?

I think the theory behind this project is that those problems are primarily
caused by Tor's popular image as a 'fringe network for pedophiles and drug
dealers' and that by making it more mainstream they can fix those issues.

(please more replies saying "that sounds really hard" and less replies saying
"tor is not a fringe network for pedophiles and drug dealers", thanks)

~~~
darpa_escapee
Cloudflare.

~~~
Hello71
Source? Cloudflare did post a moderately hostile response to Tor a few years
back, but their technical implementation is sound and does not present
multiple CAPTCHAs to users who have cookies enabled (the CAPTCHA might be
broken with JS off, but that's a Google problem).

~~~
actuator
Even I have seen CF captchas on multiple sites when using Tor. Though might be
because of my usage pattern where I use Tor for a selective list of sites
giving CF less chance to maintain my identity.

------
sp332
The page isn't loading for me.
[https://web.archive.org/web/20180601141754/https://trac.torp...](https://web.archive.org/web/20180601141754/https://trac.torproject.org/projects/tor/wiki/org/meetings/2018Rome/Notes/FusionProject)

([https://archive.org/donate](https://archive.org/donate))

~~~
maerF0x0
it worked after a few tries for me. I believe its just serverload, keep trying
or try later

~~~
sp332
I'm sure it is just overloaded. But there's no point kicking it when it's
down. Use a mirror for now.

------
mtgx
I've been waiting for this for years. Good job convincing Mozilla to do this!
Good idea to standardize the spec, too.

I hope they give a good name to this new super-private mode (which actually
isn't too bad of a name, either).

I also hope they don't just implement a "more private" mode in Firefox, but
also a _more hardened mode_ for Tor. The Tor mode in Firefox should use the
strictest possible sandboxing technologies available to them from the
operating system (file system virtualization, etc).

I'm even talking about those new fancy hypervisor-based micro-VMs in Windows
10, which I believe they are called Krypton containers, and it's what Edge
uses within the Application Guard context. Although if the users have to
enable Hyper-V/Micro-VMs first in Windows, then maybe this hardening mechanism
should be optional, but _encouraged_. Otherwise, it should probably be the
default.

[https://www.zdnet.com/article/how-containers-will-
transform-...](https://www.zdnet.com/article/how-containers-will-transform-
windows-10-in-the-next-three-years/)

Oh, and this hardened mode should use a different process for every
tab/extension, too, by default, just like Chrome does. I still don't think
Mozilla's "hybrid" approach makes it as secure as Chrome (which is why it's a
hybrid/compromise for lower memory usage).

------
MayeulC
Great news !

With wider adoption of ipv6 and all the good things that come with it (don't
mistake me, they are great!) also comes the risk that each computer will get a
uniquely identifiable IP address that will be used for fingerprinting. I've
never really used Tor in the past, but this got me thinking about it.

An option could be to provide a webRTC-based node, but I am not sure how
feasible that would be, after reading some comments here. Maybe for entry
nodes and guard nodes instead of exit nodes? The transient nature of browser
sessions could greatly enhance privacy. Of course, you would need some
algorithms to deal with this very nature... But I can imagine some.

This surely lowers the barrier to entry for greatly enhanced privacy. Quite a
lot of people seem to be aware of the private browsing mode, and I can imagine
this being turned into a simple toggle on the private browsing home page,
along with a short explanation (and a link to additional privacy tips).

A low hanging fruit that could enhance the privacy a bit would be to use the
trusted recursive resolver (DNS over https) in private browsing by default,
since it already is part of Firefox. It just needs a default _trusted_
resolver.

~~~
tomrittervg
> An option could be to provide a webRTC-based node, but I am not sure how
> feasible that would be, after reading some comments here.

I'll point you at FlashProxy
([https://crypto.stanford.edu/flashproxy/](https://crypto.stanford.edu/flashproxy/))
and Snowflake
([https://github.com/keroserene/snowflake](https://github.com/keroserene/snowflake))
the latter of which is in active development. =)

~~~
jerheinze
[https://trac.torproject.org/projects/tor/wiki/doc/Snowflake](https://trac.torproject.org/projects/tor/wiki/doc/Snowflake)

------
kodablah
Cool, now let me start an ephemeral v3 onion service from JS and have it
reachable via WebRTC by a peer who has their own. It's the perfect tech
marriage, removes signalling servers and NAT busters, but may be a bit taxing
on directory servers and too slow to use for media streams (but I'll take data
channels only).

~~~
floatboth
Hah, kinda reminds me of Opera Unite. (That one wasn't from JS, it offered
some fixed applications like file hosting, notes, etc., but it was hosting
stuff from the browser)

~~~
gsnedders
Unite allowed server-side JavaScript (though I forget how many privileged APIs
there were), but I don't think you could support custom protocols.

------
urda
Mozilla keeps driving for the users on the internet. I know many of my own
frustrations came from the fork that is Tor. This work is great to see.

~~~
jerheinze
> I know many of my own frustrations came from the fork that is Tor.

What are your frustrations with the Tor Browser?

~~~
tgragnato
There is a gap between the safer and safest security level: sometimes I want
to display icons and symbols but don't want js to run.

Installing additional extensions is discouraged; but in my experience
Decentraleyes makes latency somewhat less disturbing, CAPTCHAs appear less
often; and uBlock Origin is essential [-].

[-] shipping with every available filter list enabled and cached may be a good
enough default

~~~
jerheinze
> Installing additional extensions is discouraged; but in my experience
> Decentraleyes makes latency somewhat less disturbing, CAPTCHAs appear less
> often; and uBlock Origin is essential [-]. > > [-] shipping with every
> available filter list enabled and cached may be a good enough default

See [https://bugs.torproject.org/22089](https://bugs.torproject.org/22089) and
[https://bugs.torproject.org/17569](https://bugs.torproject.org/17569)

------
_bxg1
This would be amazing. The main reason I've never used Tor is the fear that it
would make me look like I had something to hide (instead of just a general
desire for privacy). If it were built into Firefox, I'd probably switch over
from Chrome.

~~~
jerheinze
> The main reason I've never used Tor is the fear that it would make me look
> like I had something to hide (instead of just a general desire for privacy).

1\. You can hide the fact that you're using Tor by using pluggable transports
which are already built-in the Tor Browser (such as meek-azure, obfs4,
snowflake, ...).

2\. That's the biggest reason as to why one must use Tor as much as possible
even if they don't care about privacy. More people using Tor = the less
interesting it is to be a Tor user.

------
ccnafr
Wasn't this launched in 2014? I see the wiki hasn't been updated since
January. Is this a new push to get this done?

------
Vinnl
If I understand it correctly, you shouldn't be using any website accounts
using Tor browser that you also use outside of it. I really wonder if/how they
can make the user properly aware of that in a kind-of super private browsing
mode.

~~~
Hello71
you _can_ , and it is still a valuable contribution to the Tor network, since
it adds cover traffic. the catch is just that the website you're using will
know who you are. I hope that the vast majority of users will understand that
if they log in, there is no privacy mode that will save them from the site
they log into.

~~~
Vinnl
Right, I guess that's good if you want to contribute to the Tor ecosystem, but
if you want to browse anonymously, that's no good. Unfortunately, even as a
somewhat tech savvy (though in hindsight obviously naive) person, the
repercussions of logging in somewhere in Tor Browser weren't immediately clear
to me.

------
fwdpropaganda
> How many more "super private browsing mode" Firefox users will there be?
> Potentially hundreds of millions of daily users.

Tor has hundreds of millions of daily users?

~~~
jerheinze
[https://metrics.torproject.org/userstats-relay-
country.html](https://metrics.torproject.org/userstats-relay-country.html)

~~~
xur17
Does anyone know what caused the big spike in users at the end of last year?

~~~
jerheinze
Most likely a botnet.

------
wpdev_63
Have you considered also implementing I2P[0] in parallel with tor? It suppose
to be harder to analyze traffic at nodes with I2p though it isn't as
battletested as tor.

[0]:[https://geti2p.net/en/comparison/tor](https://geti2p.net/en/comparison/tor)

~~~
jerheinze
I2P is more concerned with inward traffic rather than clearnet 'exit' traffic
which is the main thing that Mozilla wants in a super private mode.

------
openfuture
Okay but what about maidsafe, dat, ipfs etc. The correct solution is to have
firefox expose a 'protocol api' or something along those lines so that any
'alternate internet' project can create a backend extension to make firefox
compatible with that protocol.

~~~
jean-
Seems like some people are working precisely on that.

See for instance:

[https://blog.mozilla.org/addons/2018/01/26/extensions-
firefo...](https://blog.mozilla.org/addons/2018/01/26/extensions-firefox-59/)
(CTRL-F Decentralization)

[https://github.com/mozilla/libdweb](https://github.com/mozilla/libdweb)

~~~
mtgx
That's amazing to see. Thanks for sharing.

This is exactly the kind of tech Mozilla should be supporting - tech that
gives users more freedom on the internet.

------
devit
I think Mozilla should look at using Servo instead of Gecko in this mode along
with a new JavaScript interpreter written in Rust, at least optionally, since
perfect security is essential when using a Tor browser without a dedicated VM.

~~~
kibwen
Servo components are being uplifted into Gecko gradually. There's less benefit
to rewriting the JIT in Rust because static type systems can only do so much
when the whole goal of a program is to generate code dynamically.

~~~
devit
My suggestion was to have Firefox support both Gecko (with uplifted component)
and a pure Rust renderer, with the latter to be used in the Tor mode where
security (to preserve anonymity against resourceful adversaries) matters over
compatibility.

For security, instead of a JIT, a simple JavaScript bytecode interpreter
written in Rust to be used exclusively in the Tor mode would be ideal, for
maximum security at the cost of worse performance.

Another option is a JIT that generates code that is easily proven to be safe
(e.g. because it does a bounds check on all memory accesses and only does
indirect jumps using a jump table, or because it's the only thing running in a
process and jumps are still constrained with a read only jump table and read
only code).

------
Endy
So we lose another valuable project of the Web. I wonder why I feel so lost -
that when I was young, the Internet was barely born... and now I'm watching it
die.

~~~
jerheinze
What's going to be lost?

~~~
Endy
Tor Browser. A single privacy-dedicated browser package; even if it is now
being built on Chromefox.

------
bunkydoo
I believe Tor browser is already just a version of Firefox if I'm not
mistaken. What would be the advantage of integrating with Firefox as opposed
to say, a VPN integrated into the browser via a plugin. Just seems a little
redundant and Tor is beginning to seem dated also with new solutions popping
up and making the pitfalls of Tor more apparent.

~~~
Vinnl
I think an important part is to lessen the maintenance burden for the Tor
project: if the code is in Firefox proper, Firefox developers will encounter
it when working on other features and make sure they work together, whereas
currently the Tor project needs to rebase their modifications onto "regular"
Firefox.

------
neokantian
"Removing fingerprintability" amounts to the browser just NOT sending all the
http request headers that it sends by default. How hard can it be to "comment
out" these lines?

~~~
bzbarsky
I just checked and there are over 100 checks for "should I have different
behavior here if I am resisting fingerprinting?" just in the C++ code in
Firefox today. There are some more in the JS code but they're harder to search
for.

Some simple examples:

* Various navigator APIs (oscpu, platform, etc) need to be disabled.

* Gamepad API needs to be disabled.

* Have to prevent reading canvas pixel data

* Have to block information about avaiable OpenGL extensions from WebGL

* Modifier keys on keyboard events need to be spoofed (because they can be used to guess at keyboard layout)

* Errors from the media stack (for <video> and <audio>) need to be blanked out.

* Something to do with voice synthesis APIs; I didn't look into details.

* Connection API needs to be neutered

* Various timing APIs hanging off "performance" need to be neutered.

* Presentation API needs to be neutered.

* Number of CPUs reported by the navigator API needs to be spoofed.

* Window sizing for window.open needs to be spoofed.

* Ability to measure the difference between the window.inner* and window.outer* APIs needs to be disabled.

* Mouse positions in mouse events need to be spoofed to make it look like the window is fullscreened.

* Touch event positions need to be spoofed.

* Geolocation needs to be disabled.

And so on, and so forth.

~~~
gsnedders
Need to do something about fonts and the CSSOM
(Element.getBoundingClientRect() for example), too.

Just shipping a standard bundled set of fonts and only allowing use of that
doesn't suffice because anti-aliasing width differences could give away the
used font renderer.

------
mortdeus
I am starting to feel firefox in a serious way. But im just sooo concerned
that their software still sucks. I mean, we ARE talking about a company who
thought it was smart to spend time trying to build a javascript OS for mobile.

So let me ask again. When are you guys going to start building firefox from
the ground up and make the perfect browser we all deserve?

And if you disagree, please. Present your arguments. I am the person you need
to sell right now.

~~~
Sylos
They've started on it, it's called Servo.

But webstandards are evolving faster than modern browsers are, so building a
browser from the ground up would require quite a bit more money, and worse
know-how - you can't just buy that in unlimited amounts, than they have for
Firefox right now, and they can't exactly stop developing Firefox in the
meantime either.

Also, their three big competitors have most of their browser market share
thanks to building an operating system underneath it. No matter how slim
Mozilla's chances at success were, it would've been foolish to not try to get
into the operating system market. And they built it based on web technologies,
because that's where they have know-how.

------
fredley
Why does the Tor Browser Bundle ship with HTTPS Everywhere? Surely if you're
connected through a Tor circuit, HTTPS provides no extra security?

~~~
StavrosK
This is the biggest misconception about Tor. Tor provides anonymity, but any
node (EDIT: any _exit_ node) can read what you're sending if it's not
encrypted. You need both.

~~~
crankylinuxuser
That's definitely not true if your endpoint you're talking to is an *.onion .
A connection to an Onion is encrypted to the destination. That also means if
you were running, say NodeRed with authentication, sending credentials "over
the clear" (no SSL cert, because stupidity) it's not actually sent over the
clear. It's encrypted to the public key relating to your onion address.

Now, if you're using Public Internet->Tor->Public Internet, then absolutely
yes the last node CAN read the contents of your packets. In that case, you
absolutely need appropriate encryption to hide the contents (sigh, not the
metadata) of your packets.

~~~
LinuxBender
I would still prefer https on a .onion. If tor itself is popped, then traffic
can be routed or mirrored to another host. This has happened in a PoC and was
fixed in a security update in one of the alpha releases. There are additional
fixes required for HS that are coming.

If the target is using https, you can see if the signature changes (there are
addons for this).

Digicert will sign .onion domains, though the hidden site must be willing to
share their identity with Digicert. I would love to see LetsEncrypt sign
.onion domains, assuming they are willing to connect back to a .onion to
validate the server.

~~~
detaro
The CA/B Forum rules only allow EV certificates for .onion, so even if Let's
Encrypt wanted they couldn't give out .onion certificates without getting that
changed first.

~~~
schoen
I'm trying to get that rule changed and working with several other
organizations on this.

~~~
detaro
Are there public discussions somewhere yet? I always find it interesting to
peek into these processes.

~~~
schoen
We talked about it in this thread in November.

[https://cabforum.org/pipermail/public/2017-November/thread.h...](https://cabforum.org/pipermail/public/2017-November/thread.html#12451)

Since then Fotis Loukos and I have drafted a ballot, which I believe he plans
to introduce soon after asking a few other organizations to look it over.

You can subscribe to the cabfpub mailing list without becoming an Interested
Party or Member. Only Interested Parties or Members can post to the list,
while only Members can introduce or vote on ballots.

(Edit: Strangely, the reason for this is seemingly not that they're worried
that the general public will make crazy suggestions, but rather that the
general public will make _patented_ suggestions, without being willing to
license them according to the Forum's patent policy, and thereby sneak
patented technology into the standards.)

