Re: [tor-bugs] #19417 [Applications/Tor Browser]: asm.js files should not be cached to disk in Tor Browser and no linkability risk

[Tor Bug Tracker & Wiki]

#19417: asm.js files should not be cached to disk in Tor Browser and no 
linkability
risk
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:
 |  needs_revision
 Priority:  High |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Major| Resolution:
 Keywords:  tbb-disk-leak, tbb-linkability,  |  Actual Points:
  GeorgKoppen201609, TorBrowserTeam201609,   |
  ff52-esr   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by legind):

 Here's a friendly ping to revisit this issue, now that the transition to
 52 is complete.

 WebAssembly is a related upcoming standard in development at W3C, we
 should also keep an eye on this as well.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #19417 [Applications/Tor Browser]: asm.js files should not be cached to disk in Tor Browser and no linkability risk

[Tor Bug Tracker & Wiki]

#19417: asm.js files should not be cached to disk in Tor Browser and no 
linkability
risk
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:
 |  needs_revision
 Priority:  High |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Major| Resolution:
 Keywords:  tbb-disk-leak, tbb-linkability,  |  Actual Points:
  GeorgKoppen201609, TorBrowserTeam201609,   |
  ff52-esr   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by gk):

 * keywords:
 tbb-disk-leak, tbb-linkability, GeorgKoppen201609,
 TorBrowserTeam201609
 =>
 tbb-disk-leak, tbb-linkability, GeorgKoppen201609,
 TorBrowserTeam201609, ff52-esr


Comment:

 ESR 52 should have the patches for the caching. We should revisit this
 ticket when switching, especially as problems without asmjs show up (see
 #21298).

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #19417 [Applications/Tor Browser]: asm.js files should not be cached to disk in Tor Browser and no linkability risk

[Tor Bug Tracker & Wiki]

#19417: asm.js files should not be cached to disk in Tor Browser and no 
linkability
risk
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:
 |  needs_revision
 Priority:  High |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Major| Resolution:
 Keywords:  tbb-disk-leak, tbb-linkability,  |  Actual Points:
  GeorgKoppen201609, TorBrowserTeam201609|
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by gk):

 * keywords:
 tbb-disk-leak, tbb-linkability, GeorgKoppen201609,
 TorBrowserTeam201609R
 =>
 tbb-disk-leak, tbb-linkability, GeorgKoppen201609,
 TorBrowserTeam201609
 * status:  needs_review => needs_revision


Comment:

 Dang :/ Testing patches beforehand actually helps I guess.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #19417 [Applications/Tor Browser]: asm.js files should not be cached to disk in Tor Browser and no linkability risk

[Tor Bug Tracker & Wiki]

#19417: asm.js files should not be cached to disk in Tor Browser and no 
linkability
risk
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:
 |  needs_review
 Priority:  High |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Major| Resolution:
 Keywords:  tbb-disk-leak, tbb-linkability,  |  Actual Points:
  GeorgKoppen201609, TorBrowserTeam201609R   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by mcs):

 The patches look OK, but do we have the GetPrivateBrowsingId() call in ESR
 45?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #19417 [Applications/Tor Browser]: asm.js files should not be cached to disk in Tor Browser and no linkability risk

[Tor Bug Tracker & Wiki]

#19417: asm.js files should not be cached to disk in Tor Browser and no 
linkability
risk
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:
 |  needs_review
 Priority:  High |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Major| Resolution:
 Keywords:  tbb-disk-leak, tbb-linkability,  |  Actual Points:
  GeorgKoppen201609, TorBrowserTeam201609R   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by arthuredelstein):

 Looks good to me.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #19417 [Applications/Tor Browser]: asm.js files should not be cached to disk in Tor Browser and no linkability risk

[Tor Bug Tracker & Wiki]

#19417: asm.js files should not be cached to disk in Tor Browser and no 
linkability
risk
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:
 |  needs_review
 Priority:  High |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Major| Resolution:
 Keywords:  tbb-disk-leak, tbb-linkability,  |  Actual Points:
  GeorgKoppen201609, TorBrowserTeam201609R   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by gk):

 * keywords:
 tbb-disk-leak, tbb-linkability, GeorgKoppen201609,
 TorBrowserTeam201609
 =>
 tbb-disk-leak, tbb-linkability, GeorgKoppen201609,
 TorBrowserTeam201609R
 * status:  assigned => needs_review


Comment:

 bug_19417_v2 in my tor-browser repo has the fixes we need to apply to the
 browser part (the backport of Mozilla's patch and not disabling asmjs
 anymore):

 https://gitweb.torproject.org/user/gk/tor-
 browser.git/commit/?h=bug_19417_v2=ecdfc89579b6a403beda082c536a1d0b960363f5
 https://gitweb.torproject.org/user/gk/tor-
 browser.git/commit/?h=bug_19417_v2=7af178793a20483896cd657fa06bb6ddc587b3a8

 bug_19417_v4 in my torbutton repo puts the pref under the rule of the
 security slider again:

 
https://gitweb.torproject.org/user/gk/torbutton.git/commit/?h=bug_19417_v4=4953431fd7d14096a3f4217416a4578c96d40ec5

 Please review (especially the patch backport).

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #19417 [Applications/Tor Browser]: asm.js files should not be cached to disk in Tor Browser and no linkability risk

[Tor Bug Tracker & Wiki]

#19417: asm.js files should not be cached to disk in Tor Browser and no 
linkability
risk
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:
 |  assigned
 Priority:  High |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Major| Resolution:
 Keywords:  tbb-disk-leak, tbb-linkability,  |  Actual Points:
  GeorgKoppen201609, TorBrowserTeam201609|
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by gk):

 * keywords:
 tbb-disk-leak, tbb-linkability, GeorgKoppen201606,
 TorBrowserTeam201607
 =>
 tbb-disk-leak, tbb-linkability, GeorgKoppen201609,
 TorBrowserTeam201609


Comment:

 We should backport https://hg.mozilla.org/mozilla-central/rev/07979189c602
 and let asmjs be governed by the slider again. I think we can keep the
 `NEWNYM` handling, though.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #19417 [Applications/Tor Browser]: asm.js files should not be cached to disk in Tor Browser and no linkability risk

[Tor Bug Tracker & Wiki]

#19417: asm.js files should not be cached to disk in Tor Browser and no 
linkability
risk
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:
 |  assigned
 Priority:  High |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Major| Resolution:
 Keywords:  tbb-disk-leak, tbb-linkability,  |  Actual Points:
  GeorgKoppen201606, TorBrowserTeam201607|
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by bugzilla):

 Replying to [comment:19 gk]:
 > Let's leave `tbb-crash` for #19400. This ticket is concerned with the
 cache and linkability issue.
 Are you going to file another ticket for {{{tbb-newnym}}} issue?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #19417 [Applications/Tor Browser]: asm.js files should not be cached to disk in Tor Browser and no linkability risk

[Tor Bug Tracker & Wiki]

#19417: asm.js files should not be cached to disk in Tor Browser and no 
linkability
risk
-+-
 Reporter:  gk   |  Owner:  tbb-
 Type:  defect   |  team
 Priority:  High | Status:
Component:  Applications/Tor Browser |  assigned
 Severity:  Major|  Milestone:
 Keywords:  tbb-disk-leak, tbb-linkability,  |Version:
  GeorgKoppen201606, TorBrowserTeam201607| Resolution:
Parent ID:   |  Actual Points:
 Reviewer:   | Points:
 |Sponsor:
-+-
Changes (by gk):

 * keywords:
 tbb-disk-leak, tbb-linkability, GeorgKoppen201606,
 TorBrowserTeam201607R
 =>
 tbb-disk-leak, tbb-linkability, GeorgKoppen201606,
 TorBrowserTeam201607
 * status:  needs_review => assigned


Comment:

 Applied to torbutton (master and maint-1.9.5) as commit
 621916d0f79336b95d7390c2e30e2c81c0d2a504 and
 48252096e210b78ab56a5623b296301929faea9f and to tor-borwser (tor-
 browser-45.2.0esr-6.5-1 and tor-browser-45.2.0esr-6.0-1) as commit
 699ae74066ddc7000a3ea5f4ed68b170d1886065 and
 9f49b80ab4a5c2326ca47f0736d0b865fa2272f9.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #19417 [Applications/Tor Browser]: asm.js files should not be cached to disk in Tor Browser and no linkability risk

[Tor Bug Tracker & Wiki]

#19417: asm.js files should not be cached to disk in Tor Browser and no 
linkability
risk
-+-
 Reporter:  gk   |  Owner:  tbb-
 Type:  defect   |  team
 Priority:  High | Status:
Component:  Applications/Tor Browser |  needs_review
 Severity:  Major|  Milestone:
 Keywords:  tbb-disk-leak, tbb-linkability,  |Version:
  GeorgKoppen201606, TorBrowserTeam201607R   | Resolution:
Parent ID:   |  Actual Points:
 Reviewer:   | Points:
 |Sponsor:
-+-

Comment (by mcs):

 r=brade, r=mcs
 Looks good.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #19417 [Applications/Tor Browser]: asm.js files should not be cached to disk in Tor Browser and no linkability risk

[Tor Bug Tracker & Wiki]

#19417: asm.js files should not be cached to disk in Tor Browser and no 
linkability
risk
-+-
 Reporter:  gk   |  Owner:  tbb-
 Type:  defect   |  team
 Priority:  High | Status:
Component:  Applications/Tor Browser |  needs_review
 Severity:  Major|  Milestone:
 Keywords:  tbb-disk-leak, tbb-linkability,  |Version:
  GeorgKoppen201606, TorBrowserTeam201607R   | Resolution:
Parent ID:   |  Actual Points:
 Reviewer:   | Points:
 |Sponsor:
-+-
Changes (by gk):

 * status:  assigned => needs_review
 * keywords:
 tbb-disk-leak, tbb-linkability, GeorgKoppen201606,
 TorBrowserTeam201607
 =>
 tbb-disk-leak, tbb-linkability, GeorgKoppen201606,
 TorBrowserTeam201607R


Comment:

 Okay, bug_19417_v2
 (https://gitweb.torproject.org/user/gk/torbutton.git/commit/?h=bug_19417_v2)
 in my Torbutton repo and bug_19417 in my tor-browser repo
 (https://gitweb.torproject.org/user/gk/tor-
 browser.git/commit/?h=bug_19417) are up for review.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #19417 [Applications/Tor Browser]: asm.js files should not be cached to disk in Tor Browser and no linkability risk

[Tor Bug Tracker & Wiki]

#19417: asm.js files should not be cached to disk in Tor Browser and no 
linkability
risk
-+-
 Reporter:  gk   |  Owner:  tbb-
 Type:  defect   |  team
 Priority:  High | Status:
Component:  Applications/Tor Browser |  assigned
 Severity:  Major|  Milestone:
 Keywords:  tbb-disk-leak, tbb-linkability,  |Version:
  GeorgKoppen201606, TorBrowserTeam201607| Resolution:
Parent ID:   |  Actual Points:
 Reviewer:   | Points:
 |Sponsor:
-+-
Changes (by gk):

 * keywords:
 tbb-disk-leak, tbb-linkability, tbb-crash, GeorgKoppen201606,
 TorBrowserTeam201607
 =>
 tbb-disk-leak, tbb-linkability, GeorgKoppen201606,
 TorBrowserTeam201607


Comment:

 Let's leave `tbb-crash` for #19400. This ticket is concerned with the
 cache and linkability issue.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #19417 [Applications/Tor Browser]: asm.js files should not be cached to disk in Tor Browser and no linkability risk

[Tor Bug Tracker & Wiki]

#19417: asm.js files should not be cached to disk in Tor Browser and no 
linkability
risk
-+-
 Reporter:  gk   |  Owner:  tbb-
 Type:  defect   |  team
 Priority:  High | Status:
Component:  Applications/Tor Browser |  assigned
 Severity:  Major|  Milestone:
 Keywords:  tbb-disk-leak, tbb-linkability,  |Version:
  tbb-crash, GeorgKoppen201606,  | Resolution:
  TorBrowserTeam201607   |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by cypherpunks):

 * keywords:
 tbb-disk-leak, tbb-linkability, GeorgKoppen201606,
 TorBrowserTeam201607
 =>
 tbb-disk-leak, tbb-linkability, tbb-crash, GeorgKoppen201606,
 TorBrowserTeam201607


Comment:

 Note that this bug appears to be the root cause of #19657, triggering a
 crash/ASan.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #19417 [Applications/Tor Browser]: asm.js files should not be cached to disk in Tor Browser and no linkability risk

[Tor Bug Tracker & Wiki]

#19417: asm.js files should not be cached to disk in Tor Browser and no 
linkability
risk
-+-
 Reporter:  gk   |  Owner:  tbb-
 Type:  defect   |  team
 Priority:  High | Status:
Component:  Applications/Tor Browser |  assigned
 Severity:  Major|  Milestone:
 Keywords:  tbb-disk-leak, tbb-linkability,  |Version:
  GeorgKoppen201606, TorBrowserTeam201607| Resolution:
Parent ID:   |  Actual Points:
 Reviewer:   | Points:
 |Sponsor:
-+-

Comment (by gk):

 Replying to [comment:15 cypherpunks]:
 > I assume simply disabling asm.js (by setting javascript.options.asmjs to
 false) is not an option here?

 It is one and I think we are going to do that as a stopgap solution.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #19417 [Applications/Tor Browser]: asm.js files should not be cached to disk in Tor Browser and no linkability risk

[Tor Bug Tracker & Wiki]

#19417: asm.js files should not be cached to disk in Tor Browser and no 
linkability
risk
-+-
 Reporter:  gk   |  Owner:  tbb-
 Type:  defect   |  team
 Priority:  High | Status:
Component:  Applications/Tor Browser |  assigned
 Severity:  Major|  Milestone:
 Keywords:  tbb-disk-leak, tbb-linkability,  |Version:
  GeorgKoppen201606, TorBrowserTeam201606| Resolution:
Parent ID:   |  Actual Points:
 Reviewer:   | Points:
 |Sponsor:
-+-

Comment (by cypherpunks):

 I assume simply disabling asm.js (by setting javascript.options.asmjs to
 false) is not an option here?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #19417 [Applications/Tor Browser]: asm.js files should not be cached to disk in Tor Browser and no linkability risk

[Tor Bug Tracker & Wiki]

#19417: asm.js files should not be cached to disk in Tor Browser and no 
linkability
risk
-+-
 Reporter:  gk   |  Owner:  tbb-
 Type:  defect   |  team
 Priority:  High | Status:
Component:  Applications/Tor Browser |  assigned
 Severity:  Major|  Milestone:
 Keywords:  tbb-disk-leak, tbb-linkability,  |Version:
  GeorgKoppen201606, TorBrowserTeam201606| Resolution:
Parent ID:   |  Actual Points:
 Reviewer:   | Points:
 |Sponsor:
-+-

Comment (by gk):

 Okay. Running the asm.js benchmark in
 https://people.torproject.org/~gk/misc/asmjscache_iframe.html generates a
 cache entry that is keyed to `https+++kripken.github.io` which happens as
 well if I run the test directly on the site.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #19417 [Applications/Tor Browser]: asm.js files should not be cached to disk in Tor Browser and no linkability risk

[Tor Bug Tracker & Wiki]

#19417: asm.js files should not be cached to disk in Tor Browser and no 
linkability
risk
-+-
 Reporter:  gk   |  Owner:  tbb-
 Type:  defect   |  team
 Priority:  High | Status:
Component:  Applications/Tor Browser |  assigned
 Severity:  Major|  Milestone:
 Keywords:  tbb-disk-leak, tbb-linkability,  |Version:
  GeorgKoppen201606, TorBrowserTeam201606| Resolution:
Parent ID:   |  Actual Points:
 Reviewer:   | Points:
 |Sponsor:
-+-

Comment (by gk):

 Replying to [comment:12 mcs]:
 > Replying to [comment:11 gk]:
 > > After thinking about it more it seems to me there is the additional
 risk that this mechanism could be used to embed supercookies. Like,
 deliver JS to a user that contains an identifier -> get that into the
 asmjscache -> once this is loaded anywhere ping the identifier back.
 > >
 > > Looking at https://blog.mozilla.org/luke/2014/01/14/asm-js-aot-
 compilation-and-startup-performance/ does not rule that scenario out:
 > > {{{
 > > The cache entry is keyed on: the origin of the script, the source
 characters of the asm.js module, the type of CPU and its features, the
 Firefox build-id (which changes on every major or minor release).
 > > }}}
 > > Note this would be especially problematic for Tor Browser users as we
 are currently not changing the build-id.
 > >
 > > Not sure what "the origin of the script" means but I doubt "URL bar
 domain". It could mean as well that the asmjs cache is not caring about
 starting SOP either.
 >
 > They do use principals in the asmjscache code, so maybe there is some
 protection (not enough for us though).
 >
 > Are you now thinking that we should unconditionally disable the
 asmjscache?

 Well, doing so with `javascript.options.parallel_parsing` set to `false`
 does not work at least. :) What to do depends on how serious the issue is.
 If there are no linkability issues then making it just obey PBM is fine
 with me. If it can get used to track users across sites then we might want
 to disable it first and then enable it successively as soon as this is
 fixed.

 I actually tried to find proper sites that could be loaded in an iframe
 AND would exhibit asmjscaching but I failed so far. Seeing what is
 happening on the user's disk in this case might actually be revealing. Who
 knows what "origin if the script" boils down to given that nobody was
 caring about user privacy much in this case anyway.

 > I spent a little time trying to figure out how to cleanly disable the
 cache when in private browsing mode (I was hoping progress would be
 reported in https://bugzilla.mozilla.org/show_bug.cgi?id=1047105 but that
 has not happened so far).
 >
 > For web workers, it might work to avoid calling JS::SetAsmJSCacheOps()
 inside dom/workers/RuntimeService.cpp when in private browsing mode.
 >
 > For content windows, I think we could make changes inside
 dom/base/nsJSEnvironment.cpp to ensure that AsmJSCacheOpenEntryForRead()
 and AsmJSCacheOpenEntryForWrite() do nothing when operating inside a
 private browsing mode window.

 Seems to be worth a try to me.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #19417 [Applications/Tor Browser]: asm.js files should not be cached to disk in Tor Browser and no linkability risk

[Tor Bug Tracker & Wiki]

#19417: asm.js files should not be cached to disk in Tor Browser and no 
linkability
risk
-+-
 Reporter:  gk   |  Owner:  tbb-
 Type:  defect   |  team
 Priority:  High | Status:
Component:  Applications/Tor Browser |  assigned
 Severity:  Major|  Milestone:
 Keywords:  tbb-disk-leak, tbb-linkability,  |Version:
  GeorgKoppen201606, TorBrowserTeam201606| Resolution:
Parent ID:   |  Actual Points:
 Reviewer:   | Points:
 |Sponsor:
-+-

Comment (by mcs):

 Replying to [comment:11 gk]:
 > After thinking about it more it seems to me there is the additional risk
 that this mechanism could be used to embed supercookies. Like, deliver JS
 to a user that contains an identifier -> get that into the asmjscache ->
 once this is loaded anywhere ping the identifier back.
 >
 > Looking at https://blog.mozilla.org/luke/2014/01/14/asm-js-aot-
 compilation-and-startup-performance/ does not rule that scenario out:
 > {{{
 > The cache entry is keyed on: the origin of the script, the source
 characters of the asm.js module, the type of CPU and its features, the
 Firefox build-id (which changes on every major or minor release).
 > }}}
 > Note this would be especially problematic for Tor Browser users as we
 are currently not changing the build-id.
 >
 > Not sure what "the origin of the script" means but I doubt "URL bar
 domain". It could mean as well that the asmjs cache is not caring about
 starting SOP either.

 They do use principals in the asmjscache code, so maybe there is some
 protection (not enough for us though).

 Are you now thinking that we should unconditionally disable the
 asmjscache?

 I spent a little time trying to figure out how to cleanly disable the
 cache when in private browsing mode (I was hoping progress would be
 reported in https://bugzilla.mozilla.org/show_bug.cgi?id=1047105 but that
 has not happened so far).

 For web workers, it might work to avoid calling JS::SetAsmJSCacheOps()
 inside dom/workers/RuntimeService.cpp when in private browsing mode.

 For content windows, I think we could make changes inside
 dom/base/nsJSEnvironment.cpp to ensure that AsmJSCacheOpenEntryForRead()
 and AsmJSCacheOpenEntryForWrite() do nothing when operating inside a
 private browsing mode window.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #19417 [Applications/Tor Browser]: asm.js files should not be cached to disk in Tor Browser and no linkability risk (was: asm.js files should not be cached to disk in Tor Browser)

[Tor Bug Tracker & Wiki]

#19417: asm.js files should not be cached to disk in Tor Browser and no 
linkability
risk
-+-
 Reporter:  gk   |  Owner:  tbb-
 Type:  defect   |  team
 Priority:  High | Status:
Component:  Applications/Tor Browser |  assigned
 Severity:  Major|  Milestone:
 Keywords:  tbb-disk-leak, tbb-linkability,  |Version:
  GeorgKoppen201606, TorBrowserTeam201606| Resolution:
Parent ID:   |  Actual Points:
 Reviewer:   | Points:
 |Sponsor:
-+-
Changes (by gk):

 * keywords:  tbb-disk-leak, GeorgKoppen201606, TorBrowserTeam201606 =>
 tbb-disk-leak, tbb-linkability, GeorgKoppen201606,
 TorBrowserTeam201606
 * cc: arthuredelstein (added)


Old description:

> #19400 revealed that asm.js files are cached to disk which violates our
> no-disk-leaks requirement. The upstream bug is
> https://bugzilla.mozilla.org/show_bug.cgi?id=1047105.

New description:

 #19400 revealed that asm.js files are cached to disk which violates at
 least our no-disk-leaks requirement. The upstream bug is
 https://bugzilla.mozilla.org/show_bug.cgi?id=1047105.

--

Comment:

 After thinking about it more it seems to me there is the additional risk
 that this mechanism could be used to embed supercookies. Like, deliver JS
 to a user that contains an identifier -> get that into the asmjscache ->
 once this is loaded anywhere ping the identifier back.

 Looking at https://blog.mozilla.org/luke/2014/01/14/asm-js-aot-
 compilation-and-startup-performance/ does not rule that scenario out:
 {{{
 The cache entry is keyed on: the origin of the script, the source
 characters of the asm.js module, the type of CPU and its features, the
 Firefox build-id (which changes on every major or minor release).
 }}}
 Note this would be especially problematic for Tor Browser users as we are
 currently not changing the build-id.

 Not sure what "the origin of the script" means but I doubt "URL bar
 domain". It could mean as well that the asmjs cache is not caring about
 starting SOP either.

 Reading between the lines on that blog post it appears to me that there is
 indeed a way to disable this whole caching mechanism with:
 `javascript.options.parallel_parsing` set to `false`. It's worth
 investigating this closer I think.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs