Shifting feature sets and search engines in Tor Browser 6

The Tor project has released version 6.0 of Tor Browser. As usual, the new release brings Tor Browser's feature set up to date with the most recent Extended Support Release (ESR) version of Firefox (on which Tor Browser is based) and adds some new privacy features. But 6.0 also makes some changes that users may want to be aware of. It drops Disconnect as the default search engine and it disables several recent Firefox features—including the privacy-focused Tracking Protection feature. Those changes might sound like regressions on the privacy front, but they were mandated by the ever-shifting landscape of web services.

Tor Browser 6.0 is based on Firefox 45 ESR, which was released in March 2016. The Tor Browser announcement notes that the update should improve the performance of HTML5 video playback. There are, of course, many other improvements bundled into the updated Firefox—some of which cause problems for Tor Browser users, rather than enhancing their web-browsing experience.

Consequently, several recently added Firefox features have been disabled in Tor Browser 6.0. The user-visible deletions include high-profile features like Mozilla's Shumway runtime for Flash content, the Firefox integration for the Pocket bookmark-sharing service, and the feedback and "health report" services that relay browser information back to Mozilla. In each of these instances, the privacy risk is easy to discern: Flash content can run arbitrary code, which makes it a risk regardless of whether Adobe's binary Flash plugin or Mozilla's Shumway executes it, and the other services all send browser information to remote servers.

There are also several less-visible features disabled in the new Tor Browser release. Multicast DNS support through libmdns, which could disclose the browser's location to other computers on the local network, has been disabled, as has the "Network Tickler" feature that was used in Firefox for Android to keep WiFi connections from timing out.

Several new vectors for browser fingerprinting and user tracking have also been found and disabled. They include support for the HTTP Alternative Services header (which can be exploited by supercookies), support for the mediaDevices.enumerateDevices method, and support for some WebGL methods known to be useful for fingerprinting. There have also been some changes to further guard against fingerprinting; for example, Tor Browser now spoofs the screen.orientation property.

Some of these features were first implemented in earlier Firefox releases but left disabled by default, then enabled in a subsequent Firefox update. The response from the Tor Browser developers typifies the process that they must engage in to keep on top of the constantly evolving set of APIs available in Firefox. Similarly, there are also some recent feature additions that Tor Browser has disabled even though it is not yet clear whether they constitute a security or privacy risk. One example is the mozTCPSocket API, which is meant to be used only by privileged processes to open TCP sockets.

Although the API is not known to pose a security risk, Tor Browser 6.0 disables it, pending a fuller security audit. Also disabled for the time being are the Reader View feature, the Push API (which is meant to be exposed only to Service Workers), and the <link rel=preconnect> resource hint, which is used to tell the browser to initiate an HTTP pre-connection for a soon-to-be-requested URI. The pre-connection includes a DNS lookup, TCP handshake, and (if needed) a TLS negotiation. Is it possible that this feature, like the others, will be re-enabled in a future Tor Browser release.

A potentially puzzling move, however, is that Tor Browser 6.0 disables Firefox Tracking Protection, a feature designed to safeguard user privacy by intercepting and blocking HTTP requests sent to domains listed on a secret blacklist curated by Mozilla. As it turns out, it is the blacklist that causes the trouble. In a comment on the bug report, Tor's George Kadianakis noted two objections. One is that Mozilla exempts certain known web trackers from the blacklist because blocking them would break the functionality of too many popular web sites. The other is described in a paper [PDF] (note: SSL certificate warning) Kadianakis linked to, which describes a method that tracking services could use to bypass the blacklist. The technique uses Apache's AliasMatch directive to serve the blacklisted content through several (or, indeed, a great many) customizable URLs.

Those objections may smack of "the perfect is the enemy of the good" to some users; after all, imperfect blacklisting is surely superior to no blacklisting at all. But "cypherpunks" indicated yet another problem: the presence of the blacklist can be used to fingerprint the browser. Ultimately, the site-breakage issue seems to be the one that made the decision final, but it would not be surprising if a significant number users find the lack of Tracking Protection to be a questionable choice.

Another change that may concern Tor Browser users is that the 6.0 release no longer uses Disconnect as the default search engine. Disconnect is a meta-search engine that anonymizes search requests by relaying the search terms to other search engines, then sanitizing the results that it returns to the user (removing, for example, web-tracking measures). But, in recent months, Disconnect searches have evidently been blocked by Google, so the service has been falling back to the Bing search engine. And, as the Tor Browser 6.0 release announcement puts it, the results returned "were basically unacceptable quality-wise." Consequently, Tor Browser now uses DuckDuckGo as its default search engine, while the Disconnect team is working to resolve its issues with Google.

There are several other interesting new features to be found in Tor Browser 6.0, including a keyboard shortcut to trigger the initialization of a new Tor circuit and one to clear all browser state, close all tabs, and initiate a new Tor circuit (a feature labeled "New Identity" in the Tor Browser interface). The browser has also dropped support for SHA-1 hashes on SSL certificates and has disabled the local logging of TLS/SSL key material. OS X builds are now signed; implementing this feature required changing the internal layout of the Mac application bundle.

Furthermore, Mozilla recently disabled hash checking for Firefox's update.xml file (which the browser fetches to see if a new release has been published and, if so, to get the new release's URL). Tor Browser has re-enabled that hash check, allowing it to verify that the update file has not been tampered with. Finally, Mozilla has now made signatures mandatory on browser extensions. Tor Browser disables the signature-checking feature for its own set of pre-installed extensions (such as HTTPS Everywhere).

Tor Browser is undoubtedly a project that many web users find valuable at least some portion of the time, even if they do not use it for all of their daily browsing. But it is interesting to observe how the project can find itself in the middle of a three-way arms race, with its developers doing their best to keep up not just with the site owners and service providers who are constantly finding new ways to violate the anonymity of users, but with Firefox as well, as Mozilla implements new features and changes browser behavior with every release—not always in ways that enhance user privacy.