forked from amoghbl1/Orfox
-
Notifications
You must be signed in to change notification settings - Fork 3
/
orfox-spec.txt
97 lines (65 loc) · 4.3 KB
/
orfox-spec.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
Orfox spec
1. Background on code/project/build
BUILD-
- The Orfox code is currently almost the exact replica of Fennec and the build instructions can be found at https://wiki.mozilla.org/Mobile/Fennec/Android#Building_Fennec. Once successfully built, this source produces a folder named android_eclipse which is where the main Fennec Browser app code is present.
2. Proposed Changes
- The aim of Orfox is to match the specs of the tor browser bundle for the desktop. We plan on making it an almost exact replica of the desktop app in order to provide a similar user experience to people who have been using the desktop browser. This newly implemented browser would hopefully be a replacement application to the current Orweb app that we have.
Match Tor Browser Desktop spec:
- Bundling Add-ons: HTTPS Everywhere, No Script, Clean Exit
Android-specific changes:
- remove permissions for GPS, camera, microphone
3. Build/release process
The build release cycle still has to be decided.
4. Risks, Unknowns, Questions
5. Positives
- The vulnerabilities seen at http://xordern.net/ip-leakage-of-mobile-tor-browsers.html are not seen on Orfox.
******
Here are the privacy-enhancing preferences that are on by default:
Match Tor Browser "generic" user-agent:
setUserAgent("Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0","en-us,en;q=0.5");
Turn on proxying to local Tor / Orbot proxying by default:
PrefsHelper.setPref("network.proxy.type",1); //manual proxy settings
PrefsHelper.setPref("network.proxy.http","localhost"); //manual proxy settings
PrefsHelper.setPref("network.proxy.http_port",8118); //manual proxy settings
PrefsHelper.setPref("network.proxy.socks","localhost"); //manual proxy settings
PrefsHelper.setPref("network.proxy.socks_port",9050); //manual proxy settings
PrefsHelper.setPref("network.proxy.socks_version",5); //manual proxy settings
PrefsHelper.setPref("network.proxy.socks_remote_dns",true); //make sure dns is remote
//turn off any DNS optimization outside of standard flow
PrefsHelper.setPref("network.dns.disablePrefetch",true);
PrefsHelper.setPref("network.dns.disablePrefetchFromHTTPS",true);
Disable dish cacheing:
PrefsHelper.setPref("browser.cache.disk.enable",false);
PrefsHelper.setPref("browser.cache.memory.enable",true);
PrefsHelper.setPref("browser.cache.disk.capacity",0);
Ensure data is cleared on shutdown:
PrefsHelper.setPref("privacy.clearOnShutdown.cache",true);
PrefsHelper.setPref("privacy.clearOnShutdown.cookies",true);
PrefsHelper.setPref("privacy.clearOnShutdown.downloads",true);
PrefsHelper.setPref("privacy.clearOnShutdown.formdata",true);
PrefsHelper.setPref("privacy.clearOnShutdown.history",true);
PrefsHelper.setPref("privacy.clearOnShutdown.offlineApps",true);
PrefsHelper.setPref("privacy.clearOnShutdown.passwords",true);
PrefsHelper.setPref("privacy.clearOnShutdown.sessions",true);
PrefsHelper.setPref("privacy.clearOnShutdown.siteSettings",true);
Do Not Track!
PrefsHelper.setPref("privacy.donottrackheader.enabled",false);
PrefsHelper.setPref("privacy.donottrackheader.value",1);
Disable 3rd party cookies:
PrefsHelper.setPref("network.cookie.cookieBehavior", 1);
Don't send a referrer: PrefsHelper.setPref("network.http.sendRefererHeader", 0);
Make sure certificates are up-to-date:
PrefsHelper.setPref("security.OCSP.require", true);
PrefsHelper.setPref("security.checkloaduri",true);
Don't display mixed content (i.e. not secure content on a secure page)
PrefsHelper.setPref("security.mixed_content.block_display_content", true);
Disable peer-to-peer WebRTC leak:
PrefsHelper.setPref("media.peerconnection.enabled",false); //webrtc disabled
Disable ciphersuites that are not safe:
//disable rc4
PrefsHelper.setPref("security.ssl3.ecdh_ecdsa_rc4_128_sha",false);
PrefsHelper.setPref("security.ssl3.ecdh_rsa_rc4_128_sha",false);
PrefsHelper.setPref("security.ssl3.ecdhe_ecdsa_rc4_128_sha",false);
PrefsHelper.setPref("security.ssl3.ecdhe_rsa_rc4_128_sha",false);
PrefsHelper.setPref("security.ssl3.rsa_rc4_128_md5",false);
PrefsHelper.setPref("security.ssl3.rsa_rc4_128_sha",false);