
901614 – Adopt Tor as a feature in Firefox - arthuredelstein
https://bugzilla.mozilla.org/show_bug.cgi?id=901614
======
tjoff
This is _really_ dangerous.

Even enthusiasts mix up the anonymity offered with Tor with security.

I can almost guarantee that this will do waaaay more harm than good. People
will enable this and think they are safe while they are suddenly routing all
their cleartext through an untrusted third party (that is, very often,
malicious).

At the very least a lot of passwords will be gathered (alongside email in a
lot of cases) in insecure and unencrypted forums etc. And since most people
have the same password for unencrypted forums as their email, facebook and
twitter...

For this to work it will have to be an option buried deep and before enabling
it you'd have to have a huge nag box (the size of a blue screen) that clearly
shows the dangers of this. And although _many_ have tried I haven't seen any
implementation of such a nag box that actually works (forces the user to think
and not just press "OK"/"YES"). And even if it did work people won't
understand it, at most they will understand that "okay, this is risky" but
they have no way of evaluating that risk since they have no idea what they
really are enabling.

That said, Tor inbuilt into firefox would be _awesome_. I just can't imagine
it doing more good than harm.

~~~
derrida
So the way to fix this is to get involved and write some software instead of
commenting in a forum as if software is a static problem. Why not open a bug
report? Maybe we can prevent password reuse by the browser taking a hash of
the password being entered in a form and comparing it against other password
hashes locally?

These issues are trivial compared to the bigger issue at play: the right to
read and to write without exception.

That is what is at stake here.

Exits sniffing passwords for plain-text forums is a minor concern compared to
the bigger issues at play. I'd like to point out that it's trivial to test for
this too...(create some plaintext accounts on forums, post there, then run a
honeypot server with your own email address and see if you get a login, do
this automatically for each exit) However the time commitment isn't so
trivial: If you wrote such a program it would be appreciated, please yell
loudly about it on the tor-talk list if you do! Tor works by and large by
people following some basic principles, like "if you think it should be done,
do it".

You could also see the issues with plaintext passwords on HTTP sites and
password reuse as a problem of user education. If you're not up for writing
software, why not open a bug and suggest some wireframed ideas for how a UI
could look to prevent password reuse? There is a whole bunch of ways to
contribute.

There are literally 100's of problems like this Mozilla or Tor could get help
with... get involved instead of ahead of time saying "This can almost
guarantee that this will do waaaay more harm than good." I hope to see your
responsible posting of these concerns to a bug tracker. A lot of what gets
done in FOSS projects like Tor really is just a bunch of people who've decided
"hey, if I don't do this, who will?".

As for doing more harm than good: I can't possibly see how this does more harm
than NSA domestic surveillance.

~~~
ordinary
_So the way to fix this is to get involved and write some software instead of
commenting in a forum as if software is a static problem. Why not open a bug
report? Maybe we can prevent password reuse by the browser taking a hash of
the password being entered in a form and comparing it against other password
hashes locally?_

The lack of a proposed solution does not make the identification of a problem
worthless. Writing code is as much part of the process of solving problems
with software as identifying those problems is. When a problem is largely a
social one, rather than a technical one, identifying the problem and making
people aware of its existence is often the bigger part of the process.

Tor guarantees anonymity. It succeeds at that. There is no technical problem.
There is no code to write. This could lead you to think there's a problem with
scope, that maybe Tor _should_ guarantee security too. Unfortunately, the
design of Tor is not compatible with that goal: if your plain text data goes
through an exit node, then by definition, that exit node gets to see what the
data is. A bug report titled "Tor does not provide secure communication" would
get closed faster than you can say "won't fix". And rightfully so.

There is, however, a social problem, as stated by the OP: many people actually
expect security. This is a problem that can only be solved by educating as
many people as possible that this is the wrong expectation to have, which is
what the OP is contributing to by making this post. This is very much in the
spirit of "if you think it should be done, do it".

~~~
maqr
> Tor guarantees anonymity. It succeeds at that.

Doesn't it fail at anonymity if the entire internet is being monitored?

~~~
slacka
I fails to see how HTTPS Everywhere + a nag whenever a form is detected on a
HTTP page doesn't make this a complete non-issue. OP is not giving Mozilla any
credit.

If OP has ever used Tor, he would know that the performance hit is so huge,
that no-one in there right mind is going to leave it on by default, if that's
even an option. In OPs myopic view, he's missing the fact the the added
benefit built in anonymity to all FF Users far outweighs this hypothetical
security risk.

------
sargun
I think that a good, incremental first step would be adding ToR into Firefox
with support for the .onion domain. This offsets the problem that there could
be potentially dangerous exits sniffing your traffic. Additionally, this makes
ToR space much more accessible. The (slight) problem of this is that it'll
probably put significantly higher load on the ToR relays, and considering that
they're already over capacity, it could hurt ToR badly.

Maybe, the relay code could be bundled into Firefox, and there could be a
toggle for "make me into a relay"

~~~
mordae
According to some providers, relays are doing just fine (40 Mbps on a 100 Mbps
line). There is significantly more relays than exit nodes because law
enforcement can't really see them and harass you.

------
brymaster
This wouldn't work at all for mainline Firefox, or at least wouldn't be
'secure' as users might be thinking.

One at least needs to have JavaScript disabled when on Tor or you'll easily be
compromised and Firefox 23 now ships with JavaScript always-on.

[http://boingboing.net/2013/08/04/anonymous-web-host-shut-
dow...](http://boingboing.net/2013/08/04/anonymous-web-host-shut-down.html)

~~~
bad_user
Why is JavaScript an issue? In private mode no traces (like cookies) are
permanent, so how can JavaScript be used against anonymity?

Of course, it increases the surface area of attack for exploits, but is there
something else I'm missing?

~~~
Skalman
It adds a great amount of fingerprintability.

~~~
foobarqux
Disabling javascript would probably add about the same amount of
fingerprintability. Panopticlick says that 1 in 24000 browsers have the same
fingerprint as TorBrowser.

------
oomkiller
My last experience with Tor was somewhat painful due to the sluggish nature of
it. If Firefox added Tor as a feature, making Tor "mainstream", could the
existing Tor network handle the extra load?

~~~
chalst
My understanding (I'm no expert on this) is that the more users, the more
efficient routing is within the Tor network, in principle making .onion space
less sluggish, but if you have a big increase in the number of users with no
corresponding increase in provision of exit nodes, then the existing
bottleneck for accessing sites outside Tor will get worse.

~~~
rmc
You need more "nodes" not "users". Tor isn't peer-to-peer amoung "users".
You'd need more people to run nodes, which is a service/server you run.

~~~
cbr
Could exit-node functionality be added to firefox? Make it more peer-to-peer?

~~~
rmc
There is no technical reason why it couldn't be added. However there is
political and ethnical reasons to not add that funcionality. There is
debatable legality of running a tor exit node. You don't want "Use Firefox,
get a visit to the police" to be a headline people can use why _not_ to use
FF.

------
Yuioup
I got my wife banned from EsperNet IRC because I was playing around with Tor
one evening. Here is their policy:

[http://www.esper.net/rbl.php](http://www.esper.net/rbl.php)

Our ip-address at home ended up on a blacklist. Eventually the ban was lifted
but my wife was not happy for a couple of days ...

I wonder if there are other services (IRC, MMO, etc...) that adopt a NO TOR
policy.

~~~
marshray
Unless you were running an exit node I don't see the logic in blocking you. I
think that kind of aggressive scanning is pretty rare.

~~~
Yuioup
Yes I was. I was using the Tor browser bundle and checked the box in the
settings. Good thing you mentioned that detail I've forgotten it.

But still though. If they make Tor a feature in Firefox what is stopping any
user from checking that box?

------
marshray
This would be great in terms of creating the 'egg' to enable the 'chicken',
ordinary web sites, to provide their service over Tor hidden services.

------
petera
I really doubt it would become a one-click privacy measure: If you like to
participate in an onion-routed, privacy enhancing, anonymity network, why put
it in an browser?

A browser accesses that network, it is the weakest and least point in that
setup.

Because tor has no gui? Use vidalia (see
[https://www.torproject.org/projects/vidalia.html.en](https://www.torproject.org/projects/vidalia.html.en)).

There are so many ways to track an individual, independent of the network,
with java-script, extensions, addons, plugins, client-side-caching that even
if tor becomes a feature in firefox, the slightest unmitigated problem, even
your behavior may compromise your privacy.

~~~
chakalakasp
Presumably Firefox would disable all add-ons, Flash, and possibly JavaScript
if tor were enabled. Otherwise, yeah, all bets are off.

~~~
petera
Your forgot to purge the disk- and memory-caches.

------
Achshar
How is going to provide the ridiculously large requirement of exit nodes is
this hits production? Don't exit nodes cost money in the sense that there is
huge risk involved in running one?

------
badon
It would be fine to just have the feature so _.oninon sites are accessible. To
get more than that requires education, much like an aircraft pilot. One small
mistake and you may literally get yourself and others killed. Even Tor Browser
can 't be trusted, due to bugs. A bare beginning solution is a firewall to
block non-Tor connections:

[http://www.reddit.com/r/onions/comments/1l15hx/10_steps_to_m...](http://www.reddit.com/r/onions/comments/1l15hx/10_steps_to_make_tor_safer_with_pfsense/)

Without that, you're just the Titanic happily floating across the ocean
without making sure you've got enough lifeboats if something goes wrong.
Should failure always mean death? Is it too much to ask to insist on a
firewall safety net to block non-Tor connections when the next bug is found in
the Tor Browser Bundle (or whatever)?

I'm all for making _.onion sites reachable, as long as that's the only thing
this new feature promises to do. It would make *.onion sites mainstream, which
is good for everybody. Strength in numbers, heard immunity, get lost in the
crowd - that's precisely what Tor relies on to achieve its most basic goals.
Taking Tor mainstream with support in Firefox would mean there would be more
Tor users for the seriously privacy-paranoid to hide behind.

------
willvarfar
If it only works with secure connections, and there's a general improvement in
bandwidth and it prompts some big non-profits-with-profits like Mozilla to
actually run exit nodes in countries that don't cooperate with other exit-node
countries, then ... yes, it could be a little bit better.

------
tuananh
isn't TorBrowser actually Firefox browser with Tor preinstalled?

~~~
corin_
The idea here is to bring Tor to a wider audience - not that it would be the
first time Tor can be used through Firefox. There may also be other technical
advantages or disadvantages, such as the fact that main Firefox will get
updates quicker than TorBrowser.

------
rjzzleep
i feel like an obvious problem is being overlooked. if every firefox bundles
tor, mozilla might end up on government blocklists all by itself.

------
poolpool
Ah yes. Adding a US government owned and operated platform to your product for
"anonomity."

~~~
IgorPartola
OMFG how many times will this fucking argument be brought up? It is open
source. Who cares? The Internet was a government sponsored project at one
point too.

~~~
poolpool
Except that enough nodes are controlled by government entities to eliminate
most if not all of the benefits.

~~~
IgorPartola
Which has nothing to do with who invented it.

------
leokun
I hope this doesn't happen. I would uninstall Firefox, and not even test
development for our application in Firefox. Maybe I could test some other
gecko-based browser, like SeaMonkey, but I don't want anything tor related on
my computer.

~~~
marshray
Why are you allergic to "anything tor related"?

~~~
leokun
I don't have a need for tor. I am not a political activist, I'm not a
journalist.

I'm not convinced that supporting tor is also not supporting criminal
activity, such as child pornography and money laundering.

I don't want software on my computer that I don't need and I don't like. If
Firefox wants to dive deep into controversial and politically complicated
topics, that's their right, but I don't have to have them on my computer or
support that.

~~~
marshray
Tor has no specific features that make it useful for child pornography or
money laundering, so it sounds like you just object to anonymity for TCP
clients in general.

You're certainly free to continue telling every server your client machine's
location and your ISP about every server to which you connect. But that's not
going to help children or fight any crime.

To me, possibly the best thing we can do to protect our children today is to
enable them to grow up with a shred of privacy, without the baggage of an
unknowable amount of juvenile internet browsing history following them into
adulthood to be sold and traded by evil men who would be their masters. That's
the industrial scale child exploitation, that is.

~~~
leokun
I do not object to anonymity for TCP clients in general. I've setup squid on
AWS proxies when I've wanted anonymity, like in open wifi areas. People can
set up VPNs or sign up to those services if they want to protect their network
activity, which should all be sufficient for most use cases, including
avoiding ISP monitoring your activity. Tor on the other hand is used to avoid
law enforcement and government surveillance. I'm not a journalist, I'm not
politically active, and I'm not engaged in criminal activity, and I'm not
going to support something that can aid people avoid justice for their
misdeeds. I think journalists should come up with their own solution that
can't be taken advantage of by bad people who do bad things.

~~~
chakalakasp
Circa 1995: "I think researchers and computer scientists should come up with
their own solution to display text and images that can't be exploited by bad
people. I will never support the World Wide Web. Gopher all the way, baby!"

A bit tongue in cheek, but lets be serious - there is no technology in
existence that can't be exploited by bad people. Tor is a tool, it can be used
for good or for naughty or for boring. Like most every other online tool or
protocol out there.

------
DigitalSea
This seems like a nice idea, but the developers of Firefox have made it more
than known they would prefer to argue the inclusion and removal of version
numbers as opposed to actual issues. Look how long it took them to fix the
memory leaks that plagued the browser since version 2 and were only not long
fixed?

It's easy enough to set Tor up with Firefox yourself. Perhaps all that is
needed is an easy to understand and access Tor guide. Perhaps the first page
you see upon loading Firefox after installing or updating is a, "We recommend
you use Tor for a safer browsing experience" and then give some scenarios
where Tor should and shouldn't be used.

~~~
marijn
Whenever I see this kind of poorly-informed bashing of the Mozilla team
(always mentioning "the memory leaks") I can't help but wonder how the author
would do building and maintaining a piece of software as big and complex as a
modern Web browser.

The thing to note is that these issues were fixed and Firefox is still a
competitive, solid browser.

~~~
DigitalSea
It's well-intentioned bashing if you want to slap a label on it. I am one of
the few that still use Firefox, I've used it since the beginning more or less
and the memory leaks issue you attempt to downplay was a very real issue that
plagued the browser for so long when Chrome came along and sanboxed
everything, separate process and was super fast people jumped ship faster than
the Titanic.

The argument of turning around someone's opinion and asking how they would fix
and maintain the problem is an exhausted counterargument that has no validity.
It wasn't the Mozilla team didn't have the smarts to fix the memory leaks,
it's the fact they denied there was even a problem for so long. It's all about
prioritising what you work on. So if I had any involvement in Mozilla and
Firefox's development, I would be prioritising what's important and what
isn't.

This place has really changed. You can't give your opinion on something
without being down-voted into oblivion, even if your opinion is well-
intentioned and constructive. My comment wasn't negative, it was my opinion. I
didn't bash anyone, I'm sick of this place misconstruing other peoples
comments (a frequent occurrence from what I've noticed).

