Privacy/Roadmap/Tor
Advancing Anonymity
This document is a high-level vision for enhancing anonymity on the web, especially supporting the efforts of the Tor project. Not everyone wants to be completely anonymous, but we should help those who want control their anonymity online.
Related:
Vision
Ultimately, it's really hard to be anonymous online right now. On top of that, it's really hard for projects to harness Firefox as a platform that can be extended into an anonymity-instilling tool. We want it to be easy for users to be as anonymous as possible in Firefox, and it should be easy for Tor developers to make sure Firefox is easy to configure as a platform for anonymous browsing.
The goal here is not simply to build Tor into Firefox, but to make Firefox the right platform so projects like Tor can be easily deployed as a layer on top.
There are three desired outcomes that will make Firefox a better home for Tor:
- Improve Private Browsing Mode
- Optional Reduced Fingerprintability (leaky pipes)
- Robust suite of experimental/radical privacy features
- Better API-level switches for add-ons like torbutton to control Firefox's behavior
- Better local security and privacy (non-network anonymity)
Features and bugs
Currently, we're tracking patches in this spreadsheet.
Below is a high-level breakdown of the work, see the spreadsheet for bug numbers and status.
API Creation/Changes
To be effective, the Tor project needs some APIs to configure gecko in various ways. Some exist, some do not. These are internal APIs (not Web APIs) and only need acces via add-on or priveliged app interfaces.
Private Mode Enhancements
Tor uses private browsing mode to minimize unique things stored in the local client. Our implementation of private mode is not yet sufficient, so we need to provide more features either enabled by default when in private browsing, or enableable via prefs. These include making permissions manager entirely memory-only, intermediate cert store memory-only, etc.
Build-System changes
Tor needs to have a deterministic, reproducable build so they can ensure the integrity of the software from source.
Anti-Fingerprinting
In addition to private mode enhancements, Tor currently extends private mode protections to remote adversaries (the network). They do this by reducing fingerprintability -- something not perfect, but makes fingerprinting harder. This includes things like limiting number of loaded fonts per document, avoiding exposure of system colors, limiting CSS media queries, plugin blocking, etc.
Some of this can be done by updating private browsing mode (where our threat model aligns with Tor's). Others may require addition of some new prefs that change other behaviors of Firefox. The Anti-Fingerprinting stuff is more about the prefs than changing private mode.
Network and Proxy Changes
Finally, There's a category of work to provide the network and proxy changes that Tor needs. Mainly this is a tweak to our implementation of SOCKS handshake, HTTP pipeline configuration, and DNS leak stopping.
Old Feature Pages
| Items with feature pages | |||||||
|---|---|---|---|---|---|---|---|
|
The stuff below is old and will be updated to show high-level work. {{#ask: Feature roadmap::PrivacyFeature theme::Advancing Anonymity | ?# | ?Feature name# | ?Feature priority# | ?Feature stage# | ?Feature version# | ?Feature product manager# | ?Feature feature manager# | ?Feature privacy notes# | mainlabel=- | sort=Feature priority, Feature stage | format=template | limit=500 | template=FeatureListTable }}
|
Roadmap
Links to implementation plan and progress: