To Toggle, or not to Toggle: The End of Torbutton

In a random bar about two years ago, a Google Chrome developer asked me why Torbutton didn't just launch a new, clean Firefox profile/instance to deal with the tremendous number of state separation issues. Simply by virtue of him asking me this question, I realized how much better off Chrome was by implementing Incognito Mode this way and how much simpler it must have been for them overall (though they did not/do not deal with anywhere near as many issues as Torbutton does)...

So I took a deep breath, and explained how the original use model of Torbutton and my initial ignorance at the size of the problem had led me through a series of incremental improvements to address the state isolation issue one item at a time. Since the toggle model was present at the beginning of this vision quest, it was present at the end.

I realized at that same instant that in hindsight, this decision was monumentally stupid, and that I had been working harder, not smarter. However, I thought then that since we had the toggle model built, we might as well keep it: it allowed people to use their standard issue Firefoxes easily and painlessly with Tor.

I now no longer believe even this much. I think we should completely do away with the toggle model, as well as the entire idea of Torbutton as a separate piece of user-facing software, and rely solely on the Tor Browser Bundles, except perhaps with the addition of standalone Tor+Vidalia binaries for use by experts and relay operators.

The Tor Browser Bundles will include Torbutton, but we will no longer recommend that people use Torbutton without Tor Browser. Torbutton will be removed from addons.mozilla.org, and the Torbutton download page will clearly state that it is for experts only. If serious unfixed security issues begin to accumulate against the toggle model, we will stop providing Torbutton xpis at all.

I believe this shift must be done for a few reasons: some usability, some technical. Since I feel the usability issues trump the technical ones, I'll discuss them first.

Unfortunately, the Tor Project doesn't really have funding to conduct official usability studies to help us make the best choice, but I think that even without them, it is pretty clear that this migration is what we must do to improve the status quo.

I think the average user is horribly confused by both the toggle model and the need to install additional software into Firefox (or conversely, the need to *also* install Tor software onto their computers after they install Torbutton). I also think that the average user is not likely to use this software safely. They are likely to log in to sites over Tor that they shouldn't, forget which tor mode they are in, and forget which mode certain tabs were opened under. These are all nightmare situations for anonymity and privacy.

On the technical side, several factors are forcing us in the direction of a short-term fork of Firefox. The over-arching issue is that the set of bugfixes required to maintain the toggle model is a superset of those required to maintain the browser model. Trac report #39 lists the bugs we must fix for the browser model, where as to maintain the toggle model, we must fix bugs from trac report #14 in addition to the bugs in report #39.

A similar issue exists with bugs that must be fixed in Firefox. The Firefox API bugs that need to be addressed to properly support the toggle model include rather esoteric and complicated issues that few groups other than Tor will find useful.

This means more resistance from Mozilla to get the toggle mode bugs fixed or even merged, less likelihood the fixes will be used elsewhere, and more danger they will succumb to bitrot. As a result, the lag time between fix and deployment for low-priority Firefox bugs can be as long as 3 years. See Bug 280661 for an example.

The Tor Browser bugs on the other hand are more directly usable by Firefox in its own Private Browsing Mode, which makes them more likely to merge quicker, and be maintained long-term. Also, because we are releasing our own Firefox-based browser, we will also have more control over experimenting with them and deploying these fixes to our users rapidly, as opposed to waiting for the next major Firefox release.

So, we can either invest effort in improving the UI of Torbutton to better educate users to understand our particular rabbit-hole tunnel-vision of design choices, and also solving crazier Firefox bugs; or we can reconsider our user model and try to simplify our software.

We don't have the manpower (ie: enough me) to do both. This means we should go with the simpler, easier option.

We do face a small number of barriers and downsides associated with this plan. We are collecting the issues we need to address ASAP as child tickets of this bug:
https://trac.torproject.org/projects/tor/ticket/2880

Overall, the downsides seem to mostly apply to expert users and how they will adapt the custom Tor setups they have built. We don't anticipate a lot of long term issues with this group, as most of the configuration options of Torbutton will remain available, and users should still be able to install custom addons and configure their Tor Browser profile however they need (even to the point of running it side-by-side to a system tor instance that is used for non-web applications).

Additional discussion about this issue has occurred on the tor-talk mailinglist.

Hopefully this announcement doesn't ruin your day!

Anonymous

May 02, 2011

Permalink

Please don't do it :S Tor button is an easy way to use Tor, without it using Tor will be a bit painful..

Anonymous

May 02, 2011

Permalink

Looks both interesting and viable to me. My understanding of Tor Browser Bundle is that it includes several apps like proxy, tor, tor-browser (aka Firefox), Vidalia, Torbutton, etc: How does that affect distros like Debian? I mean, they wouldn't package TBB, but Vidalia, browser, etc. separately. Will it be possible to package TBB separately in distros?

See https://lists.torproject.org/pipermail/tor-talk/2011-April/020105.html for this reply.

The short answer is we're already providing our own repos for Ubuntu, Debian and Fedora for the core tor package: https://www.torproject.org/download/download-unix.html.en. The plan is to add Tor Browser Bundle to these repos:
https://trac.torproject.org/projects/tor/ticket/2879

However, we'd love for our patches against Firefox to be picked up by distros. We will be making the features controllable by about:config options, so with the patches applied, it should be possible to turn the existing torbutton package into a torbrowser-like Firefox profile that you can also apt-get, if the distros take our Firefox patches.

These repos don't include a tor browser, do they? I don't see one. Is the only option for now to just use the browser bundles available on the site? A shame, but I understand it.

The repos are for installable software. Technically, tbb isn't installed, just extracted. And most people extract it to their homedir and then run it. Not much of an installation. Plus they are gzipped tar archives, not sure what the point of converting them into a deb package would be. What are your thoughts on 'installing' tor browser from a deb repo?

Anonymous

May 02, 2011

Permalink

Probably a good choice to drop it, although creating a separate firefox profile used exclusively with tor works pretty well. This might be outside the scope of the "average" user but who is an "average" user anyway? Just finding out about tor and installing it makes you an above-average user by itself. I think that catering to the illusive "average" user has been a mistake that a lot of security developers have made in the past with no real success in adoption percentages.

However, torbutton does have problems and I would be fully behind a firefox fork that would plug all leaking holes, block plugins, delete cache and cookies etc. The only reason that I did not just plug firefox directly to the proxy and used torbutton as an intermediary is that it provided more security against leakage and decloaking attempts. Good luck with this move.

I find that most people use anonymizing software to a) access country restricted media, hulu.com for example and b) access sites blocked by government, porn for example, and these people simply google search "how to bypass web filter" and they get all these instructions to use proxies and anonymizer like tor. The most popular I know is hotshield (because a lot of blogs recommend it). So its possible for any type of user to be introduced to tor, and get confused at how tor works (they usually expect one-click-to-solve-my-problem), and finally get fedup.

Anonymous

May 02, 2011

Permalink

I've been browsing with Tor on a separate Firefox profile anyway, so the Toggle button is not so important for me. However, I don't like the idea of having to run 2 Tor instances, one for the Browser bundle and another instance for other applications. It would be great to have a package that both installs stuff permanently (Tor, Vidalia etc) and configures the selected Firefox profile to be safe (ie. all the settings, JS hooks etc.). I also hope you sort out your issues with Mozilla and maintain a common distribution -- running 2 different versions of Firefox is another example of redundancy that begs to be avoided.

Of course. It is in everybody's interest to get patches merged upstream. The hope is that experimenting with patches on our end under a more sane UI model will result in more attractive patches for Mozilla.

Anonymous

May 02, 2011

Permalink

My opinion, as a somewhat technical users, is that this is only good news for users. Having to figure out which browser I'm using is a lot easier than having to figure out whether the browser is in Tor mode and the Tor mode is working correctly. Plus now we can look at getting rid of Vidalia, embed the entire UI into the browser, and turn our attention to user fingerprinting defenses.

Anonymous

May 02, 2011

Permalink

I completely understand your decision to discontinue Tor Button if it's easier and more secure to use your own web browser version. I agree it helps lower the entry barrier for new users.

"...rely solely on the Tor Browser Bundles, except perhaps with the addition of standalone Tor+Vidalia binaries for use by experts and relay operators."

Well that's good to know. I like to proxy rss feeds in FeedDemon.

Anonymous

May 02, 2011

Permalink

hey mike i have a windows 7 machine running Tor with firefox 3.5 browser bundle. is it safer than using the new Tor browser bundle with firefox 4?

This is hard to say. We definitely don't expect anything major like proxy bypass from any of the Tor Browser Bundles. Fingerprinting issues are the major concern, and Firefox 4 may have more fingerprinting issues than Firefox 3.5, due to new HTML5, WebGL, and CSS features, but we don't have measurements on how much fingerprintability these new features provide... We do intend on doing our best to improve these issues as fast as we can, though.

Anonymous

May 02, 2011

Permalink

Please tell us in simple and plain English what you are planning to do how will affect everyday users of Tor in troubled parts of the world in which we heavily rely upon Tor to protect us from being identified and live under heavily censored Internet filtering.
Are we going to loose Tor safety ?
Anonymous.

You guys are really crazy. In a fell swoop you managed to make it impossible to (a) Use Tor for the average user without the TorButton (b) Eliminated all vestiges of the app from everywhere (c) Provided a browser which is impossible to find once you install it in Os X (show me where it (Aurora) went ? I have to unpack it from the dmg every time to use it. Yet Aurora has a Tor button - which can't be toggled, but you can certainly use a proxy switcher to do this

You are just not thinking beyond the confines of your own world of programming and expertise. Even for some average Joe like myself you just wiped yourself off the map. Is that because you are are really not the programmers who are trying to provide anonymity, but you actually work for someone else ? Get real. Sure I am going to get a flood of arguments explaining what a fool I am. Well tell you what, I may be a fool, but I sure as hell can't get this thing (TorBrowser) to work properly in Os X
Do you even CHECK what you are producing?

And as a codicil. I am sure someone is going to tell me how ungrateful I am. Yes, I am. But its you guys who built the software and want people to use it. I am your customer albeit a non paying customer. If you don't want to build solid software then don't bother building anything. Drop the pretense.

But frankly I am really tired of trying stuff that works erratically and unreliably. FIX IT or DROP IT. This is so amateur hour.

Dude, they do it for free, I was a bit annoyed by the change at first too, but they did not do it to be dicks, they did it because they provide a safe product and could no longer do so with the latest versions of firefox. Using TOR is a hastle, even with the software to make it easier. IE torbutton. It's not easy to be no one on the internet. I am a network admin by trade, and I was a comp sci major in college, who had to take many programming classes - I still don't have the knowledge to make something like this by myself. I am only reaching this post at this time because I don't read up on TOR and the update on hit me as I run a little behind as I use ubuntu, and I just got the update.

I for one am greatful I live on a planet where people make me software I am not smart enough to write myself, and give it to me for free. Sure I come accross a lot of free software that sucks, but I simply choose to not use it. I sure as hell don't blast people if I dislike the software that took them hundreds to make it and give it to me for free. Instead I like to send emails voicing issues I have with using it and how I think the product would be improved if this or that feature were added. You would be amazed at the number of open source developers reply back with something like "OMG, I never considered that, thanks for the idea!" and then you get an email a month later saying "I think I did what you wanted, install this version, let me know what you think"

Open source developers litteraly give up thier lives to make cool things for people. They sure as hell don't make money off thier projects. They have real world jobs for $$. What they do for the world is just a hobby. So yes, I think you are ungreatfull when you expect perfection out of a person who likely works a real job and likely stays home on Saturday nights writing code to improve a product he or she will never see a dime for, and gives it and it's source code away for free!!! The Code is available, if the product sucks so bad and you are so upset, take the code and run with it yourself. You are not a customer, you have the ability to change it how ever you want, just get to work.

Anonymous

May 03, 2011

Permalink

That's extremely sad to read...because of usability problems.

The biggest thing is redundancy of configuration - I have Firefox heavily customised, spend a lot of time on managing it and *really* don't want to do it twice. It's a killer, makes me want to fork Torbutton, but I don't know it's innards (or Firefox's) but I don't really have time to maintain it - so it would rot and silently become insecure w/out a warning. I really don't know what to do...

The second thing is USB-portability problems. You can't run 2 copies side by side.

And I find the switch to be a comfortable thing. Why have a separate window? Why wait 15 seconds for startup (yes, I have many addons) when a switch takes a moment?

This is an interesting point, and one that goes back to users shooting themselves in the foot unknowingly with the toggle model. Each addon you add to change your browsing experience alters your fingerprint in terms of the requests you make, and how things render. Arguably you should not be adding a whole bunch of strange addons to your anonymous browser, especially ones that alter request and rendering behavior... This just makes you stand out to exit nodes and websites, and having this same strange request and rendering fingerprint for non-tor use can technically be used to deanonymize you...

That said, we don't intend to disable the ability to install addons to the Tor Browser profile, and the future goal is to have it upgrade itself in-place using our secure updater called Thandy, which should preserve your settings.

We also envision the average user running both instances of Firefox simultaneously, but this may be problematic due to RAM consumption. We expect users tight on RAM to use a lighter browser as their primary one...

Of course, if we're lucky, our patches will all get merged upstream, no new security issues will appear against the toggle model, and you'll be able to keep running the Torbutton xpi and your tricked out combination of addons yourself for quite some time.

I'm protecting myself from ISP spying, so websites or exit nodes being able to identify me aren't a problem.

Still, doesn't Tor button protect from others reading addon information? At least Panopticlick fails with it.

Anonymous

May 03, 2011

Permalink

Will the forked Tor browser be detectable and therefore blockable by a remote website or application, allowing people to disable the browser from using their sites/apps?

Yes. We make no attempt to conceal the public list of Tor Exit Nodes. While we do not encourage blanket bans, we do provide DNSRBLs to sites to make it easier to recognize Tor users to provide them with captchas, account creation limits, and to otherwise respond to urgent cases of abuse: https://www.torproject.org/docs/faq-abuse.html.en#Bans

This applies to all versions of our software, and all packages.

As such, the anti-fingerprinting measures we apply only serve to attempt to give all Tor users a uniform fingerprint, and not to make their fingerprint necessarily identical to a web "norm".

Anonymous

May 03, 2011

Permalink

I agree with your decisions on all points. I use torbutton but it's not what I'd call "friendly" or "reliable". I'm a professional linux sysadmin and it still confused me at first...using it on Ubuntu on a laptop...so there you go.

I look forward to your fork! Also, thanks for all the hard work....I know people really appreciate it. I know I do.

Anonymous

May 03, 2011

Permalink

I am very disappointed that you have not bothered to build the tor browser for PowerPC Mac OS, even if only as a nightly build.

We always need help because there are not enough people that can take care of all things regarding Tor. Will you help us and in turn help the community to port Tor to PowerPC on Mac OS?
Just offering to help is helpful. We need your help!

Anonymous

May 03, 2011

Permalink

So is it possible to install both FireFox and the TOR browser bundle on the same computer? Or is it one or the other?

Anonymous

May 03, 2011

Permalink

Some bundle sounds nice for Windows users, but Linux uses like me won't be installing no bundle or anything. I use seperate browser profiles for different things and I always hated the whole toggle thing: What I would like is to just install the firefox extention on the firefox profile I use for tor and done. I would like "torbutton" to not have any on/off button, if it's installed then it should always be activated until I turn the extention off. this wouldn't be so hard. if something like this were to be "for experts only" then fine, as long as it's available. I really always hated the fact that torbutton allows you to turn the thing off when I have no reason to do that ever in the seperate Tor firefox profile and only a security risk.

Anonymous

May 04, 2011

Permalink

wow, finally somebody thinking about uniform fingerprint!

very good Mike, it is really out of control now with all those fingerprint options..

will you focus on all of them in your bundle?
same User Agent (even in javascript), headers, fonts, timezone, etc..?

refering paper here:
https://panopticlick.eff.org/browser-uniqueness.pdf

Anonymous

May 04, 2011

Permalink

Like others commenting above me, I stopped using Torbutton's toggle a long time ago and instead use separate Firefox profiles for surfing with or without Torbutton.

I've got a ton of add-ons installed in every profile, but sites like Deanonymizer or Browserscope are never able to tell which ones. So I'm not sure that add-ons present a fingerprinting threat.

I realize that your mind is made up, but perhaps replacing the toggle with a profile switcher could have mitigated any concerns?

P.S.: I think the "preview" for comments here is new? Thanks for that!

Anonymous

May 04, 2011

Permalink

Hey!

So Tor is pretty cool. We like it at Mozilla. If you're having problems with getting things fixed upstream, please reach out to me, as I drive a lot of bug priorities. My email is blizzard -@at@- mozilla.com.

(We get a lot a lot a lot of bugs and things just get missed from time to time.)

And there might be options for browser bundles, too, that might make your lives easier. It's worth talking about if you want to do your own browser distribution.

Thanks!

--Chris

Anonymous

May 04, 2011

Permalink

Forking is stupid, Firefox is on rapid release now and you'll always be out of date and obsolete compared to Firefox. Don't be stupid and put users at risk because you can't keep up with the security fixes.

Anonymous

May 04, 2011

Permalink

An exciting development indeed. I cannot wait to see how this turns out. So does this mean all traffic will be forced through Tor, or will end users have the option to turn it on and off. I am curious if I will be able to switch to different anonymization tools depending on situational constraints.

Either way, thanks for your work. I have used your stuff when traveling to some some very unfriendly places intertubes-wise, and I felt much safer doing things with the TorBundle.

Anonymous

May 05, 2011

Permalink

I don't think this is good idea. You could keep both; developing Firefox add-on and fork your browser. Firefox is more powerful & has very big community. One thing more i like it too much is the Firefox Add-ons repository, so please keep add-on there.

We could, eh? Did you look at the number of tickets of those two trac reports mentioned in the article (#14 vs #39+#14)? Are you volunteering to fix the bugs in the toggle trac report (#14)?

You realize that otherwise, all of these tickets need to be solved by me, right? And Torbutton is not even the only thing I work on with Tor. I also work on 3 other pieces of the system..

Anonymous

May 05, 2011

Permalink

I don't think there's necessarily "more resistance from Mozilla" for getting Tor fixes into Firefox.

Bug 280661 isn't really a great example... No one in that bug said we didn't want it; the difficulty in getting it reviewed was largely that the SOCKS code is crufty, unowned that no one is actively working on it. I'll be the first to admit that out review process can be confusing and slow, and the delay between the first patch appearing (Nov 2009) and getting a review (August 2010) really really sucks. But once that happened the patch author didn't update the patch (to fix problems found in review) for 4 more months. When it was, the updated patch got reviewed again -- within a week! -- but again wasn't updated to address review issues for another 2 months. Eventually the reviewer took over the patch, and it got wrapped up and landed in a few weeks.

So, yeah, the Mozilla review process failed for the the whole year the first patch was waiting. Terrible. But it wasn't at fault for the next 6 months of waiting. And those last 6 months were what caused it to miss Firefox 4.

Anyway, my intention isn't to cast blame (except for our admitted year of fail :), just to point out that things are more complicated than it taking "3 years to fix and deploy".

While I don't have the time to fix the Tor-priority bugs myself, I'm more than happy to help with process issues and poke people as needed to help move things along in a more timely manner. Let me know where I can help, we don't want things to be painful!

(Justin Dolske, Firefox developer)

You're right. Bug 280661 isn't a representative example for most of the bugs I'm talking about that apply to the toggle model either. It only exemplifies how the review process can make things painful in terms of forcing us to delay for months on something if we miss a deadline by a few days/weeks. If we have our own browser as our only recommended software, this problem goes away.

But, it is not the only problem with the toggle model, as I said in the post.

In addition to the disparity I mentioned in our own Trac Report bug lists, we also have had a whole bunch of Firefox bugs that only make sense to fix for Torbutton as a toggle model extension:
https://www.torproject.org/torbutton/en/design/#ToggleModelBugs

We've been trying to figure out how to even approach some of these for years, as they require expertise of someone who understands deep magic of the JS interpreter, network request paths, and TLS details. We get little feedback or help from Mozilla developers who are naturally busy with other things that are more important to Mozilla as a whole. There are also a ton of additional bugs that used to be on this list that we've since discovered hackish workarounds for (like clearing SSL Session ID state and OCSP state by toggling a pref) that probably should have been solved better. It is questionable if anyone else needs any of these things to be fixed, ever. At least this is the tenor of the responses we've gotten on the bug tracker in the past, and it does make sense.

If we just abandon the idea of the toggle model, all we need to do is prototype patches that are useful to Private Browsing Mode. These patches will naturally get way more attention than Tor-specific patches that only apply to the toggle model. Moreover, if we are building our own browser, we get to benefit immediately from writing these patches and testing them right away, as opposed to investing effort that may not be realized for unknown quantities of time, depending on release cycles and code freezes that are less visible to us than you may assume.

Anonymous

May 05, 2011

Permalink

Nice.
But that's a lot more work as 'only' a Torbutton?

Have you enough programers for that?
It's really more complicated?

Anonymous

May 07, 2011

Permalink

I like torbutton the way it is. Although I live in the USA and while paranoid I don't believe anyone is actively out to get me (at the moment :). I'm lucky enough to not live in a country were censorship is rampant. I still like to use tor when I need to but not all the time because here in America the network would be classified as slow. So when I don't need it I turn it off. I like the toggle model. It makes it easy. When I need it I turn it on and when I don't I turn it off.

Just my 2 cents. If I was in China or Lybia I might say just the opposite that I want the browser bundle but I'm not so I like the button.

Anonymous

May 07, 2011

Permalink

I think this is a good idea, and will make things easier for non-technical users. One thing I would suggest is to make it easy to install to and run from a USB key. Thank you.

Anonymous

May 08, 2011

Permalink

What about the support under Firefox 4. Tor button doesn't exist, can we expect that soon or not? (Windows 7 32bit , Firefox 4)

thx

Anonymous

May 08, 2011

Permalink

Hmm, I'm not so sure this is the best way to go...
We'll know quantitatively down-the-track hopefully.

Anonymous

May 12, 2011

Permalink

mike, am i completely anonymized if i log onto my facebook account? im using firefox 3.6 with tor and no script on windows 7 machine. thank you.

Anonymous

May 14, 2011

Permalink

IMHO, a very bad idea.

Having a separate browser:
- makes it much more uncomfortable for users
- less likely to be used
- much more likely that new security holes are introduced in the fork
- much more likely that upstream security holes are not fixed in the fork