Hi, I'm the author of the Torbutton Firefox Extension and a Tor developer. I've recently been investigating what sort of APIs we would need to leverage Chrome's Incognito mode to build a Torbutton-like Chrome extension that creates a special privacy-enhanced and anonymous Tor+Incognito mode.
My brother Matt suggested that I mail this list with the results of my investigation and with some general privacy enhancing APIs to add to the API wishlist. There may come a time when the Tor Project will fund implementation of some or all of these APIs, but for now I figured I'd just make sure they got on the general radar, because others may have interest in them too. I'm also looking for feedback on this list. Please let me know if any of these are complete non-starters and will never be allowed into Chrome even in the long term, or if any will require prohibitive redesign or significant engineering effort, so we can re-evaluate attempting to get funding or finding volunteers to help implement these APIs. The APIs are ordered with the most important to Tor+Incognito appearing first. 1. Profile Manager Access The most important API is the ability to launch Incognito-style (yet distinctly tagged) browser windows via an extra menu item, perhaps by requesting windows to be launched under specific existing or programmatically altered profiles. There are also Firefox addons like SwitchProfile that enable basic multiple identity support for users that could leverage this level of access. 2. Per-Tab/Per-Profile Settings Access There already is a wishlist item for Settings Access, but I would like to extend the wishlist item to include a copy-on-write method of temporarily changing settings for individual tab processes or for specific profile instances. In particular, privacy enhancing extensions will typically want access to the following settings: proxy settings, a pref to prompt before autolaunch of external apps, a pref to disable the opt-in usage tracking, prefs to modify user agent and platform strings, and a list of ports that the browser is forbidden to post/connect to. For the purposes of filter-based extensions like Foxyproxy or NoScript, it would be ideal if settings could be applied temporarily per-tab process. However, applying settings to special Tor+Incognito profile instances would work for us. 3. Per-Plugin Enable/Disable Controls Many plugins are not safe for privacy and security. In general, it would be nice if extensions could enable or disable which plugins are allowed for a given tab process or profile. This would enable not just Torbutton but also security-oriented addons to do things like temporarily disable plugins with known unpatched CVE advisories. 4. HTTP Request and Header Alteration The ability to alter HTTP headers would assist in User Agent spoofing, Referrer alteration, Accept alteration, Cookie alteration, GET/POST alteration and so on for many addons. With this and the item below, it would be possible to do high-grade user agent spoofing without Chrome providing any actual preferences or additional APIs to do so. It would also be possible to do things like remove the RLZ identifier from Google GET requests during Tor+Incognito mode, which many privacy conscious users view as a violation of trust by Google during normal Incognito mode (despite it not being 100% unique). This could be part of the Navigator interception wishlist API. For example, in Firefox, the "on-modify-request" HTTP event allows early interception and alteration of HTTP requests. 5. Javascript Hooking Support It would also be useful to be able to reimplement certain Javascript functions and objects such as navigator.* (for thorough useragent spoofing), window.Date, window.screen and window.history. The ability to inject unprivileged 'script' tags from extension content scripts will provide the ability to create reimplementation hooks, if this injection can happen before any other script on the page is run. There does not need to be any communication between the extension and unprivileged script. It's not clear to me from the API docs if this type of injection is yet supported and if it will cause the tag to be evaluated early enough in the page load and display process. 6. Fine-grained Cookie Control The ability to read, add and remove selected cookies would come in handy for extensions like Cookie Culler, Add-n-edit cookies, and Torbutton that protect, alter and delete specific cookies. 7. SSL Session ID Clearing SSL Session IDs are GUIDs used to reduce round trips on the SSL handshake by providing an identifier to reference a recently established SSL session. I checked the Incognito code, and it does clear the approved SSL certificate cache, which is great. However, if a user connects to https://secure.wikileaks.org without Incognito and then opens up an Incognito window to do the same, the Session IDs remain the same across both windows, and are a unique identifier that can be used to generally track users. You can see this happen with Wireshark on Windows Chrome 3.0.195.27. Exposing an API to completely reset the SSL state in a specific tab processes or profile instance would be workable, however I could also see this code just being added to the code that already rebuilds Incognito's SSL cert caches in OffTheRecordProfileImpl::GetSSLHostState(). 8. Access to Flash Cookies/Limited Filesystem Access Assuming Tor would eventually be able to safely allow Flash or Gnash, any site with a Flash applet can still read and write cookies, leaving traces of the access to that site on the harddisk of the user and also exposing the user to tracking and correlation between regular browsing and Tor+Incognito browsing. The Firefox addon Better Privacy simply removes these cookies from the macromedia directory for each of the major platforms, and this seems to work well, even during a running session. On operating systems that support native file locking, it may also be possible to ensure that the flash cookie directory is only readable+writeable by non-Incognito tab processes. Thanks! --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Chromium-extensions" group. To post to this group, send email to chromium-extensions@googlegroups.com To unsubscribe from this group, send email to chromium-extensions+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/chromium-extensions?hl=en -~----------~----~----~----~------~----~------~--~---