Security/Contextual Identity Project/Containers: Difference between revisions

lightweight persistent profiles that isolate sites from one another

Warning: This is just a draft proposal of how contextual identities might be implemented in Firefox

Mock-up of what this might look like

Description

Linux containers all share the same kernel but they have different process/networking/filesystem namespaces. Similarly, browser containers share the same browser profile and process but have different cookie/storage namespaces.

When a user creates a new container, the browser opens a new window that's visually different from the other ones and that window has a different appid [1]. When that window is closed, all of the data related to the container's main origin is retained, but the rest is cleared (e.g. a Facebook container will keep Facebook cookies to preserve the session, but it will clear all non-Facebook cookies to reduce tracking).

[1] The AppID key is linked to cookie jars, local storage, indexedDB, HTTP auth cache, HTTP data cache. It is NOT linked with history, bookmarks or addons.

Benefit for users

• It allows user to log into any sites that doesn’t support multiple logins. Similar to how the Google account switcher works, but for any account on the web.
  • Problem: It's ridiculous that you have to open multiple profiles or private windows just to sign into different accounts on the same web site.
  • Problem: Just use two different browsers. Firefox is my main browser and I have Chrome for when I need to log onto a different account.
  • Story: I'm a university student and my year is divided into 15 groups. Each group has got their common Gmail account to use as forum/place to upload our presentations etc. I either have to log in and log out every time I want to change class, or use another browser.
  • Story: There are many reasons why users would choose to have more than one eBay account. For example, users who like to buy and sell may want separate accounts for each activity. Other users who maintain businesses on eBay may prefer to manage separate accounts for different product lines. Whether you have one account or more, eBay expects users to manage each of their accounts effectively in order to meet the highest buyer and seller standards.
• It’s tracking protection by any other means
  • I need to be logged into Facebook because that's how I communicate with friends and family but I don't want Facebook to track me all over the web through the Like buttons.
• It isolates sites and makes CSRF (one-click attack) impossible.
  • If a user opens their online banking site in a container, an attacker won't be able to exploit a CSRF vulnerability on the bank website by tricking them into clicking a link on Facebook because when the user clicks that link and navigates to facebook.com they won't have a session with Facebook.

Benefit for developers

• A web developer can easily test their website by being logged in as different users at the same time.
  • For example, they can test a learning management system (e.g. Moodle) by having three containers: teacher, student, admin.
  • I work at a technology company which primarily focuses on our website. Being able to view the site with a fresh set of cookies this easily is awesome. We use incognito mode currently, but that has the limitation of each tab/window sharing one set of incognito cookies.

Persisting containers

One idea was that we would tie persistent containers to bookmarks. A new setting on the bookmark would force the browser to open Twitter in the same container. Internally the container would probably be named after the origin of the site being bookmarked.

Ideally when you type twitter.com in the URL bar, the bookmark will be picked up and the "contained" bookmark used instead.

Alternatively, when you navigate to twitter.com, the browser could show a ribbon at the top that says: "hey, you normally open this in a container, would you like to do this now?" with a button to close the tab and open a new container window.

One nice thing about tying containers to bookmarks is that we know what origin the container is meant for. This means we can clear all non-Twitter cookies for example. We can only do this for containers that are isolated to a site, because for long-term tasks (e.g., shopping for a mortgage) may desire long-lived tracking cookies.

Making containers look different

Each container could have a different:

• window name
• icon
• background color

All of these could be generated automatically for the user and they would be customizable too. So for example, we could have a set of animal icons and names (entirely localizable) that would be picked up when you open a new container via the "new container" menu link or toolbar.

On the other hand, if you open Facebook in a separate container, then the browser could automatically pick a Facebook icon and color based on favicon and the likes that are already supplied by Facebook.

Discovering the feature

Here are a few ideas on how to surface this feature:

• Offered at the same time as "would you like to save this password?"
• Right-clicking on a tab to turn it into a "container". Similar to how we do pinned tabs, but containers would open in a new window.
• "File" | "New container" (and the equivalent "New container" button in the hamburger menu)
• New button in the URL bar in the webdev edition (aurora)
• Detect users logging in and out of a service like Twitter that doesn't have support for multiple logins, and offer the feature to them.

Related work

• Firefox add-ons:
  • Switchy
  • Priv8
  • Multifox
  • CookieSwap
• Chrome extensions:
  • Swap-my-cookies
• IE10 Browsing Sessions
• App Isolation: Get the Security of Multiple Browsers with Just One (Chromium prototype)
• "One session per window" feature request on Bugzilla