On 4/4/14 4:52 AM, Mike Perry wrote: > David Rajchenbach-Teller: >> As a side-note, there is a will to make FirefoxOS very safe, but as far >> as I know, very few people work on this actively at the moment. If you >> are interested in contributing to this effort, I can try and find you a >> good interlocutor. > > I looked into this and made contact with the FFOS team about potential > collaboration, but it was not a priority for them. We would effectively > be responsible for doing all of this work ourselves. > > This would actually be a lot of work for us to do, too. There are > several architectural changes needed to Firefox OS in order for us to be > able to do the things I did with Android in this post: > https://blog.torproject.org/blog/mission-impossible-hardening-android-security-and-privacy > > In particular, the following is a sampling of my more major concerns: > > 1. Apps share a lot more state and linkable identifiers due to running > in the same parent Gecko process (and sharing much of the HTTP stack).
Actually, that's not true. Maybe you checked on B2G Desktop, which uses a single process. On the real FirefoxOS, each app runs in its own process, with the following exceptions: - the browser UI (i.e. the url bar) is part of the system process; - dialer, contacts and First Time use are three view of the same application. > 2. This also means that apps are way less protected from one another > than on Android (where everything runs as both a separate process *and* > a separate user ID). Each process has a distinct uid. > 3. There are no per-app proxy settings, and individual apps can not be > blocked from accessing the network. Investigating the issue. I believe some work is needed here, but that doesn't look too hard platform-wise. > 4. The system-wide proxy settings still allow for a number of things to > leak outside of Tor. What kind of leaks do you have in mind? > 5. It is my understanding that apps can source remote JS libraries over > HTTP if they wish, and nothing prevents this. This effectively means > that what you think is your app may not be your app at all. By default, that is correct. What would you suggest? I know that the system can detect attempts to access the network by an app, so I suspect that it wouldn't be too hard to fully deactivate network access once the app is installed. Cheers, David -- David Rajchenbach-Teller, PhD Performance Team, Mozilla -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
