Firefox Private Browsing Mode, Torbutton, and Fingerprinting
Last week, Peter Eckersley and I met with the Mozilla team in Mountain view to discuss web fingerprinting, privacy and Torbutton. I gave an updated version of my Torbutton Design talk, and Peter discussed Panopticlick. Mozilla was primarily interested in hearing about these projects in the context of their Private Browsing Mode, which they unveiled in Firefox 3.5.
The primary goal of their Private Browsing Mode is to protect against a local after-the-fact attacker - an attacker that has local access to a user's filesystem after browsing has taken place. They offer some limited protections against a network adversary, but this was not their initial goal, and is primarily a side effect of trying to protect against "helpful" web services, such as Google Search History, which record your activity somewhere other than your PC.
This is a significantly weaker adversary model than the one used in the Torbutton design. As a result, from the point of view of Tor usage, Firefox Private Browsing mode suffers from a number of weaknesses that Torbutton does not.
In particular, Firefox does not presently concern itself with plugins, form and password autocompletion, SSL state, Live Bookmarks, external protocols and applications, or browser fingerprinting. The Applied Crypto research group at Stanford recently published a comparison of the four major browser's private browsing modes against a dedicated local and remote adversary which details some of these issues.
It turns out there is some developer interest inside Mozilla in improving resistance to fingerprinting, improving privacy against third party content, and hardening their Private Browsing Mode in general, despite most of these issues being outside of their original model. The current plan is to investigate what would be necessary to develop an Anonymous Browsing Mode that would either take the form of a privacy setting, an enhancement to Private Browsing Mode, or an entirely independent browsing mode. The trick now is to transform this developer interest into something that motivates the Firefox Product Management team to get fully behind the proposed improvements.
As such, Peter and I have been spending some time updating the Fingerprinting and Anonymous Browsing wiki pages to describe who would want such privacy features, and how they would behave, as well as updating and adding relevant Mozilla Bugzilla entries. I've also updated the list of Torbutton Firefox Bugs to reflect some of the more sophisticated unsolved fingerprinting issues that were brought up during our meeting.
This July, the two of us will be doing the same thing with the Google Chrome Privacy Team in Berlin while at the Privacy Enhancing Technologies Symposium. This is primarily to follow up on a meeting we had with Google in December, where we discussed the barriers to the development of a Torbutton for Google Chrome, and to discuss relevant fingerprinting issues and similar shortcomings of the Google Chrome Incognito Mode.
Look for a future blog post in August detailing the results of that discussion.