Tor Browser: a legacy of advancing private browsing innovation

by gk | January 28, 2022

You probably know that our user-facing product for providing privacy, safety, and security online is Tor Browser. Tor Browser allows millions of people to easily exercise their human right to privacy, within the framework of a familiar web browser. For many years, Tor Browser was the only web browser freely available that provided anything like its level of anti-tracking, anti-fingerprinting, and holistic privacy protections.

In this post, we want to share a little bit of Tor Browser history with you, the origins of our features and designs, and how many of our innovative privacy and security features have been adopted by other browsers.

In the beginning: a fork of Firefox

Before Tor Browser existed, you may remember a little app called Vidalia. You could use Vidalia to start a connection to the Tor network, and if you wanted to route your web browsing through Tor, you would need to configure your browser proxy settings to do so.

This solution had many issues–in particular, configuring your proxy settings inside of a browser to use Vidalia was not an easy, user-friendly task. Additionally, while Tor provides good protections at the network level, Vidalia did not offer protections against tracking and privacy invasion that exploit the web browser itself.

In late 2007, we released the Firefox-based Tor Browser Bundle, which started to address those shortcomings. Tor Browser Bundle set important browser preferences and included Tor, Torbutton (a Firefox extension providing the necessary privacy guarantees), and other components to offer web browsing privacy and protection.

Shipping a browser bundle made browsing the web via Tor much easier, but this package turned out to not be sufficient for user experience and technical reasons.

First, Torbutton allowed users to easily toggle their connection to the Tor network on and off. This toggle concept didn’t exist in other browsers at the time, though, and we found that it contradicted the mental browsing model of most of our users–as a result, it was easy for users to shoot themselves in the foot toggling Tor off and forgetting to turn it back on again.

Additionally, providing the toggle option in a safe way turned out to be a development challenge, as it hit a number of corner cases in the Firefox code that were not particularly high on Mozilla's priority list to fix.

Further, the APIs that were available for Torbutton to work around privacy problems in Mozilla's code turned out to be less and less sufficient for our needs. In early 2011, we therefore started to streamline our browser bundle by both abandoning the Torbutton toggle model and patching Firefox where needed. For example, we added proper SOCKS5 support and fingerprinting resistance/disk avoidance patches to our fork of Firefox.

Project Uplift: bringing Tor Browser protections to Firefox

Privacy online requires all of us. Tor Browser might not be the product that every user online would use, and that’s OK–our mission is about making sure privacy is accessible and show how it can be done. That’s why we started working with Mozilla (and other vendors like Google) early on to get their Private Browsing Modes adapted according to a privacy-by-design approach and to uplift patches as soon as we wrote them.

While that process started bearing fruit with Mozilla during our work on reproducible builds, it got fully up to speed with the Tor Uplift project. From 2016 on, Mozilla dedicated several engineers to help us get our code changes into Firefox and write patches from scratch for some of our missing defenses. This was a multi-year effort which started with our "first-party isolation" work, aimed at defeating cross-site linkability and continued with upstreaming patches against browser fingerprinting.

While both patches against cross-site linkability and fingerprinting landed in Firefox code, they were set to “off” by default, giving us an easy way to activate them for Tor Browser. This helped Tor, and was a step in the right direction, but is further proof that back then, privacy was deemed not important to enable those features by default.

We would like to take the opportunity here to give a big shout out to everyone at Mozilla who made this project possible. Project Uplift does not exist anymore, but the collaboration between Mozilla and the Tor Project has been one of the most significant steps towards making the privacy standards we defend at the Tor Project a standard for the industry.

Privacy going mainstream

Today, we’re witnessing a gradual but monumental shift in a new direction. Other browser developers have taken our lead and started adding privacy and safety features to their products (and sometimes adopted our innovations into their browsers). An industry that once insisted that their business model lived and died on surveillance is now hosting conversations about privacy and making changes to third-party cookies, data collection, and tracking practices–and even allowing more user visibility and control over these options.

Part of this trend has to do with states and nations around the world passing legislation (e.g., GDPR, CCPA) with fines and consequences for companies that do not respect user privacy. After all, money has always been the motivation for change for these companies.

But beyond (or before) legislation comes the fact that people are sick and tired of using products that do not care about their right to privacy–or worse, abuse and sell their data without their consent. User research from many different sources shows that privacy is important to people while using apps or browsing the internet. In a recent survey of more than 50,000 Tor Browser users, 81% indicated they use Tor for personal privacy.

And you can see what’s present in the research in action: people are standing up both to demand privacy and defend encryption. For example, look at the recent mobilization around Apple’s plans to scan iPhones and iPads–and Apple’s decision to pause the rollout of this client-side scanning because of the loud protest by users demanding privacy. The fact that more people are understanding what’s at risk when we lose privacy, and fighting back to demand it, has made real change in the browser landscape as well.

As a result of this growing consumer demand and legislation, our focus on privacy is taking hold in the rest of the industry. Today, we’re seeing that features like Tor Browser’s “first-party isolation” have been adapted and developed further for browsers like Firefox, Safari, and Brave and are enabled by default for millions of users, giving them the tracking protection they deserve.

You can also see our influence in the browser world by looking at the Brave browser, which includes the Private Tab with Tor feature. The Private Tab with Tor brings the privacy protection that the Tor network provides to a private tab experience, with the caveat that Brave is a browser that also focuses on privacy so their browsing experience, as well as the private tab browsing experience, offers privacy protection features that other browsers don’t have.

Privacy has finally become mainstream.

There’s still more work to do

Are we done with Tor Browser, or the work to bring privacy to everyone online, given that all the major browser vendors now take privacy seriously? No doubt, today we are in a much better situation than ever before. But Tor Browser is still carrying dozens of patches around that have yet to be upstreamed to Firefox, and offers one of the most comprehensive private browsing experiences available today.

Plus, the work of protecting our users’ privacy isn’t one-and-done. We still need to keep an eye on changes in the surveillance and advertising markets, and work to neutralize new fingerprinting and tracking vectors, as they develop. This work takes time and money!

One easy way to watch progress in action is to look at the open-source tests of web browser privacy provided by privacytests.org. You can see examples of how other browsers stack up against Tor Browser, and how many tools are coming closer to offering Tor Browser’s level of protection–but that there is still more to be done.


This is a companion discussion topic for the original entry at https://blog.torproject.org/tor-browser-advancing-privacy-innovation/
6 Likes

I think that what the Tor Browser and the associated bundle really need is a clearer idea of whom they are trying to serve.

I admit that I have an axe to grind. I think that those 81 percent of the users who want “personal privacy” are a lot less important than the 16 percent who want to “stay safe as an activist”, or the 21 percent who want to “circumvent censorship”. Not only that, but to be honest, I doubt that most of the “personal privacy” users even have a clear idea of what they’re trying to protect themselves against. Certainly the phrase “personal privacy” could mean anything, so people choosing that on a poll doesn’t tell you much even if each of them does know.

The Tor tools seem to spend a lot of time on an “advertiser tracking” threat model… whereas I would like to see more time spent on a “state actor de-anonymization” threat model.

Admittedly, at this point, I’m not sure it’s practical to do much for either threat model. Countermeasures to things like Tor are getting too widely known and too easy to deploy. But the advertiser threat is probably actually the one where you have the least hope of doing real good on the ground, because having it implies the user probably wants to use parts of the Web that have, for the most point, become unusable over Tor anyway. On “mainstream” Web sites, coming in over Tor will usually either get you blocked completely, or redirected into an unescapable hall of mirrors involving infinitely repeating CAPTCHAs and endless demands to “verify” oneself… often by giving out information a lot more personal than an IP address.

On a somewhat related issue, I’ve railed before about the danger involved in making things too “easy”. I’m not saying that it’s not a good idea to, say, eliminate manual proxy configuration, because it is a good idea. At the same time, a user who cannot figure out how to configure a proxy is unlikely to have a useful understanding of what Tor does for them, may not even have any technical understanding of what they’re hiding from, and is probably going to make a bunch of fatal mistakes not directly related to Tor, to boot. The threats are inherently complicated, and trying to make things seem simple is going to lead to a bunch of people thinking that they’re protected in ways that they are not.

If the “ease of use” confuses a person with the “advertiser” threat model, frankly nothing very important will usually have been lost. But lulling somebody with the “state actor” threat model into revealing something may not be so harmless.

And I have to add another, separate comment. I personally don’t have a problem with speaking here under my own name. I’ve been publicly interested and/or involved with things like Tor for over 20 years now. My technical politics are pretty well known to anybody who’d care. But it’s very, very jarring to see the Tor Project demanding that I register and get staff approval to comment on anything… and even more jarring to see it using Discourse. Even if it’s been profiled somehow to minimize data collection, Discourse is the sort of service that’s a big part of the problem.

I suspect that the sorts of reasons I’d hear for that from the Tor Project are very, very close to the sorts of reasons I’d hear from various Web sites that block Tor users completely.

2 Likes

I too would like to see extra hardening in terms of whatever can potentially strengthen the whole project. Tor has been promoted by Edward Snowden as the most secure low latency network but this was many years ago and plenty of incidents have occurred since then, such as the ongoing unknown purpose and potential of KAX17. Working on traffic obscurification to lessen the success of timing attacks would be useful and implementing post quantum cryptography is going to become absolutely essential in the near future. The encryption is good for now but in ten years or so it will all be opened, we need a way of letting people use the network but with either no information or false information in the starting block. People can hide entry IP with a VPN but those will be opened too. Fixing it sooner means they will have less usable information against people and for those who enter for the first time after implementation of post quantum they will never be exposed.

2 Likes

Nice background history of TOR. I remember I used to do the advanced (custom) install. What that was like back then, no clue :slight_smile:

I agree with most of the above comments though. I used to run it every 3-6 months just so I knew how to use it still (well with the custom settings). Sometimes old files I download I save as text file for some reason. Here’s one in my TOR download folder: 02-16-10 _ Vidalia Bundle now comes with Polipo NOT Privoxy.txt

I just recently tried Linux Kodachi 8.15 and like it. It’s has numerous custom Firefox’s, some have A Lot of extensions for security. Just started playing with them, a fair amount so far are over my head. Going to the numerous testing websites that are bookmarked really opens your eyes just how much web browsers can leak your info. I have it in VMWare Workstation 16 and I think others should try it out, if anything to see the other extensions that are available for security. Do NOT put all those ones on your regular main web browser though. I have like 18 web browsers setup as a different profile, but mostly full separate installs (Std, Beta, Dev, Nightly) to keep things different for searching for numerous topics (with txt notes next to them). Of course I use Tor Browser ( as is ) , like now posting this. Unlike other Linux distros that can run off of a USB like YUMI and NTFS, Linux Kobachi is not one of them, need FAT32 format.

Again thanks for the history of this awesome project.

1 Like