Q and A with Yawning Angel
Here's an interview I just did with our own Yawning Angel, a longtime Tor developer, about his work on a Linux prototype for a sandbox for the Tor Browser.
What is a sandbox?
It’s a separate environment from the rest of your computer where you run untrusted programs. We’re running Tor Browser.
The idea is that exploits targeting Tor Browser are trapped inside the sandbox and can’t get out and mess with the rest of your computer or deanonymize you.
The amount of information Tor Browser will learn about your computer, and thereby you, will be limited. For example, the sandbox will hide things like your files, and real IP and MAC addresses from Tor Browser.
Tor Browser can only access or manipulate the insides of the sandbox. It's like Plato's Allegory of the Cave. The only reality Tor Browser knows is the inside of the sandbox (cave). We prevent it from interacting with the rest of your computer (the outside world), except via the Tor Network (shadows on the wall).
How will the sandbox help users?
It should make Tor a lot safer for users. We know there are people who try to de-anonymize Tor users by exploiting Firefox. Having Tor Browser run in a sandbox makes their life a lot harder.
Which operating system will the sandbox support?
We need a sandbox for Linux, OSX, and Windows. I’m working on the Linux one. The Tor browser team is looking at OSX. In the future we’d like to do Windows.
Can you talk about the sandbox a bit more?
I use a Go application to manage installing and updating Tor Browser, and set up the sandbox using a utility called bubblewrap (the underlying sandboxing code also used by Flatpak) which is based around Linux's container support.
It ended up being something superficially similar to what the Subgraph OS project has done, but my approach is more targeted as "something you can just download and start using on your existing Linux system", and theirs, as far as I am aware, is more oriented around being a full OS replacement.
Why are you doing this?
It's an interesting technical challenge, and in the light of recent events like The FBI’s Quiet Plan to Begin Mass Hacking, defending users against malicious attackers at the application layer is incredibly important.
Why did we not have this before?
Developer time—we have a lot that we already need to do. We never have time to do this. We have a funding proposal to do this but I decided to do it separately from the Tor Browser team. I’ve been trying to do this since last year. This is my third attempt. I failed twice at coming up with something that I like, but the third time appears to be the charm.
What was the hardest part?
Lots of design problems. It’s incredibly complicated.
What else have you worked on?
Everything—I’ve touched a lot of our code. I designed and wrote obfs4, Meek on Android uses my code, and I work on core Tor.
When will the sandbox be available to users?
This is experimental. Right now I have something that works on my laptop. It is not user friendly at all. It’s a functional prototype. By the end of the year it will be available in alpha form for early adopters to experiment with.
What are you working on right now?
There’re a few security versus usability tradeoffs. Most users will disagree with the tradeoffs I’ve made for myself, so I have to make all that configurable. For example, do we want to give the sandbox access the sound card? We will make it user configurable.
Mozilla is also working on something like this, right?
Mozilla is working primarily on efforts to sandbox the content, media and plugin processes (roughly a per-tab sandbox).
In our version, the entire browser is running in a sandbox.
Both projects in the long run should work to complement each other, since both are a good idea.