Tor support for Private Browsing

[diracdeltas]

It would be great to have Private Browsing mode provide similar security guarantees to Tor Browser. mikeperry has a doc (possibly out of date) re: changes that would have been needed in Chrome to make this possible: https://trac.torproject.org/projects/tor/wiki/doc/ImportantGoogleChromeBugs. We should look into which of those apply to Brave.

Depends on #1111 #770 #242 #694 #474

[eljefedelrodeodeljefe]

So key would be to have a reliable SOCKS5 connection I guess, right? I was hoping that the Tor lib has something in the repo, but I couldn't find anything. Excuse me, since I am new to Tor, but building clients doesn't seem to be that easy or really encouraged (by documentation) unfortunately. My guess though is that node itself has capabilities to run a decent connection, since there are nice samples in libuv (see here)

I'll research a little bit.

[eljefedelrodeodeljefe]

Just to be clear: the above would suggest, to run it through a node connection somehow skipping the chrome specific parts. This will probably in any case be quite the task.

[ghost]

That idea is a good one, i would love to see something like that for sure.

[Arandhras]

I am absolutely supporting this. It would be something more that makes Brave unique with respect to all the other browsers out there.

[eljefedelrodeodeljefe]

@diracdeltas if you have a strong case for seeing this in node-core here would be the place https://github.com/nodejs/node/issues/1490 . I think i would rather settle on implementing this with tools like this and friends but both seems possible. There already is a electron plugin available, just wrapp tootallnate's tool. So implementation would be fairly easy, i guess.

[dominhhai]

How did it go?

[diracdeltas]

Update: we are investigating the idea of running Tor on a per-tab basis, described here: https://github.com/brave/browser-laptop/wiki/Brave-Tor-Support#running-tor-in-tabs. One major challenge is overcoming https://bugs.chromium.org/p/chromium/issues/detail?id=80722 on MacOS and Windows. Without it, Tor is still useful for censorship resistance and hiding IP from websites, but not fully useful for anonymity from a network attacker.

@eljefedelrodeodeljefe We are actually moving away from depending on Node in Brave and are fully using the Chromium networking stack at this point.

[balupton]

As an alternative to this. What about a standard VPN feature that Opera has: http://www.opera.com/blogs/desktop/2016/04/free-vpn-integrated-opera-for-windows-mac/

[thornjad]

@balupton I like that idea a lot, especially because of the easy added security for less technical people. However, I'd prefer the VPN alongside Tor rather than as an alternative.

[NumDeP]

@balupton @Raindeer44 @blacktop there's a better discussion here and more related to your topic - https://community.brave.com/t/2-of-3-several-necessary-extensions-addons-vpn-proxy/1753/46

I was curious and it's probably silly but firstly would Brave's blocking engine still remain active in a Tor tab because I'm surprised in the proper Tor they just haven't integrated a fork of uBlockOrigin excluding the track of course to make it as lite and efficient as possible?

How will some secure email exchanges such as Protonmail and Tutanota as well as other security orientated services work in a TPB if 'Javascript is disabled' seeing as they require it for initial log-in?

In the future when you've implemented the task bar icons 'New window - New Private window - New TPB', preferentially if TPB was continuously used, would an update still push if that was the only tab being opened every time?

[thornjad]

@NumDeP The Tor Browser Bundle does have a uBlock Origin fork in it, but the Tor protocol itself doesn't have any inherent blocking (at least as far as I'm aware). Similarly for Javascript, in that the TBB has it disabled by default but the protocol doesn't care, So if Brave just implements the protocol, it doesn't necessarily need to include the other security features TBB has, though it may end up being less secure. However, if your aim is for great security, a good VPN plus the TBB should be your choice anyway.

In the very specific case of Protonmail they actually run their own .onion site, but that's definitely the exception rather than the rule.

[tildelowengrimm]

Brave should use Tor by default for private tabs. When a user opens a private tab, they should see an informative note about protecting their browsing with Tor, along with a toggle switch where they can turn it off.

[NumDeP]

I can remember the advertisements for incognito/private @flamsmark and they indicated that those that wanted to purchase something discreetly for a spouse quite quickly without anybody finding out (locally) should use that feature. I mention this because I'm certain it was strictly recommended that users should never use the Tor network to input banking information and I making private/amnesiac tabs default to Tor would sort of corrupt it, would it not?

In relation to new documentation about Private/Incognito/Off the Record tabs, your suggestion of Amnesiac seems better to be honest and makes for a fitting acronym.

• New Window
• New Amnesiac Window
• (TAB) Tor Amnesiac Browsing

[NumDeP]

This isn't regarding the above question but one other important thing to note would be the excessive usage of the Tor functionality - meaning wouldn't it greatly slow down the network given that many may become accustomed to Tor in Brave and will continuously use it as a prerequisite?

[thornjad]

Using Tor is inherently slower than using the Internet without it, simply due to the server hopping it necessarily performs. @NumDeP are you asking what Brave should do to address this slowdown, especially if it's used often?

[NumDeP]

Hi @Raindeer44 yes sort of, though not exactly, I did invite a similar issue curtailing that #12989

It was related to the stress on the Tor network (so yes 'if it's used often') and was more so a concern because of the teams brilliant implementation of the Tor feature and baking it into private/amnesiac tabs will significantly increase the load on the Tor network, would it not?

[kjozwiak]

@riastradh-brave @diracdeltas can we close this off? Going to use this bug as the main one for the release notes. Is there a better bug that should point users to the Tor work that will be part of the release notes?

[diracdeltas]

@kjozwiak i thought we were waiting until #14143 was merged to close this but if not, it can be closed

[kjozwiak]

@diracdeltas fair enough! We'll wait till #14143 is merged 👍

[bsclifton]

Fixed with https://github.com/brave/browser-laptop/pull/14143

[user18x]

Can i disable tor???

[thornjad]

@user18x You can still open a private tab without tor, if that's what you mean.

[NumDeP]

@user18x There's a 'feature request: expose the options to disable/enable Tor'. if you're trying to disable it currently but can't really see the option.