On 15/06/20 22:40, Mark H Weaver wrote: > Earlier, I wrote: > >> I'm currently building a version of IceCat 68.9 with the above commit >> reverted, to see if the bug also exists in version 0.1.7 of the Onion >> Browser Button. > The same problem happens for me with version 0.1.7 of the Onion Browser > Button in the IceCat 68.9 preview. I guess that this add-on does not > work reliably (if at all) with Firefox ESR 68.x or its derivatives. > Maybe it works better with Firefox 77. > > Unless someone has a better suggestion, I'm inclined to simply *remove* > Onion Browser Button from the IceCat 68 preview. Another removing (about:icecat is already gone)? Of the original IceCat nothing is remaining... > > Long ago, the Tor Browser developers reached the conclusion that having > a simple toggle button was the wrong approach, and I agree. > > https://blog.torproject.org/toggle-or-not-toggle-end-torbutton > > One problem is that modern web browsers have a large amount of state > which can be used to identify you, and toggling the Tor button does not > clear that state. When you aren't using Tor, sites can learn the state > of your browser profile and associate that state with your identity. > Later, if you turn Tor on, all of that state is still there to identify > you, even if your network requests are routed through Tor. > > I believe that in order to properly preserve your anonymity while web > browsing, at *minimum* each IceCat _profile_ should either be used > exclusively with Tor, or exclusively without Tor. In other words, you > should create dedicated profiles for use with Tor; when creating a new > profile, you should either configure it to use Tor, or not, and you > should *never* toggle a given profile between Tor-enabled and > Tor-disabled. This requirement is violated by a Tor toggle button, > whose sole purpose is to make it convenient to do the very thing that > you should never do. I'm incline to choose the Tor-Icecat, in this case IceCat browser will be always Tor dependent. And, if in future some way Tor will become a proprietary feature? > > Another more difficult problem is that browsers can be fingerprinted in > various ways to determine their specific feature set and configuration. > IceCat has a distinctive set of features disabled, and a distinctive > configuration to better protect your privacy, but ironically these > improvements can likely be used by an adversary to determine that you > are an IceCat user, even if you are using Tor. Since there are > relatively few IceCat users, this dramatically narrows down the set of > people that you might be, thereby reducing your anonymity. > > I think we should acknowledge that providing proper anonymity in IceCat > will require more work, and that work has not yet been done. Therefore, > I think we should remove Tor support from IceCat for now, and start a > discussion of what the requirements are and how best to meet them. > > To begin, I recommend that participants of this discussion should read > "The Design and Implementation of the Tor Browser", here: > > https://2019.www.torproject.org/projects/torbrowser/design/ > > I can think of a few approaches we might take. The easiest approach > would be to give up on having the same browser support Tor and non-Tor > usage, as the Tor developers did. IceCat, based on Firefox ESR, could > be our non-Tor browser, and then we could start another project, based > on Tor Browser, for use with Tor. > > Another approach would be to provide an easy UI for enabling Tor when > creating a new profile, and to teach users best practices for doing > this. This approach would involve cherry-picking patches from Tor > Browser, and possibly arranging for some of those patches to take effect > only in profiles where Tor is enabled. It would likely also involve > using a different default configuration for Tor-enabled profiles, to > more closely match Tor Browser's configuration, to make it harder to > distinguish IceCat users from Tor Browser users. > > Yet another idea would be to arrange for "Private Windows" to use Tor, > and to convince ourselves (or not) that the remotely-detectable state of > Private Windows are sufficiently isolated from the state of normal > windows. > > I welcome other opinions. > > Regards, > Mark +1 for a dedicated discussion about. -- --- Antonio Trande Fedora Project mailto: sagitter@fedoraproject.org GPG key: 0x7B30EE04E576AA84 GPG key server: https://keys.openpgp.org/