Tor beyond private tabs

[riastradh-brave]

We initially implemented support for Tor in private tabs on the premise that Tor is necessary to provide the 'privacy' that it seems a majority of users expect 'private tabs' to convey. However, total anonymity against all actors involved -- the next person on the computer you're using, your ISP, the remote host -- is not the only value of Tor.

• Some users are not concerned about the next person on the computer, which is the threat that traditional 'private tabs' defends against.
  • Example: I'm a user with a private laptop that I don't share with anyone. I want to keep my browsing history, my notes, my identities, &c. -- I just don't want my ISP or the remote hosts to track me.
• Some users want Tor to thwart their ISP's censorship resistance (e.g.: https://community.brave.com/t/use-tor-in-standard-tabs/26916).
  • Example: I'm a user on a network that tries to restrict controversial political content which I want to research. It blocks some VPNs, but it doesn't block Tor, or it doesn't block bridges, or it doesn't block some pluggable transport that someone has set up with Tor.
  • (We will also want bridges or pluggable transports for that: Support configuring Tor pluggable transports #12989)
• Some users want Tor for anonymity from the remote host. (This is the one we catered to first.)
  • Example: I'm reading articles about medical conditions, and I don't want Google or WebMD to build up a profile of what medical conditions or my friends or family might have.
  • Example: I'm reading articles in a newspaper, and I want to support them with Brave Payments, but I don't want them to build or sell a profile of what articles I'm interested in -- after all, Brave Payments is supposed to enable me to provide anonymous contributions to the publisher.
• Some users want Tor to thwart their ISP's surveillance, e.g. data mining for profit done by ISPs.
  • Example: I'm an American who is upset about internet regulations and the obscene power of the duopolistic ISPs unfettered by now-defunct FCC privacy rules where my market choice is between data mining over television cable or data mining over copper wire.
• Some users want Tor for location privacy from the remote host, while they still log into the remote host.
  • Example: I'm a member of a community in a social networking site that's not high-security -- that can leak users' IP addresses sometimes. I do want to log into the site, but I don't want a stalker to find me, either by breaking into the site or by sniffing the wifi at the public library -- so it's location privacy, not exactly anonymity, that I'm interested in.
• Some users want Tor for uncorrelated identities when logging into a remote host, which requires isolated Tor circuits and state in different sessions.
  • Example: I want to make a parody Twitter account of a public figure, but I don't want it to be correlated with my work Twitter account or my personal Twitter account -- and I want to make sure that even someone who gets login records from Twitter with IP addresses won't be able to use them to find me.
• Some users may want Tor for specific sites for any or all of these security properties.
  • Example: I want to use Tor for Twitter isolated from YouTube, but I want to watch YouTube videos over the normal internet.

The initial idea was 'new Tor tab'. What we first implemented was a toggle switch to make private tabs 'really private' the way the majority of users seem to expect them, rather than impose the jargon 'new Tor tab' on them. Then we switched to 'new private tab' vs 'new private tab with Tor' so that users could have control over which private tabs get to use Tor. This design is still in flux.

This is an issue to track these design decisions. I offer these user profiles as examples that we might want to support. (This is aside from background tasks for which, in the future, we might want to use Tor, e.g. version updates, ledger operations, &c.)

[elaine-jackson]

Using Tor in all tabs as well as more control over Torrc (the ability to edit the "torrc" would be an awesome feature for advanced features).

Not directly related to Brave, though in the Mozilla Firefox web browser, to use Tor I have to do the following to make it safe:

1. Proxy HTTP + DNS Traffic through Tor
2. Find and take preventative measures againist any possible leak of my real IP Address (WebRTC, DNS, IPv6, etc).
3. Have an easy way to clear cache+cookies.
4. There's no way to be 100% safe from fingerprinting.

Having all this done transparently in the background would make Brave an awesome browser for everyone.

[srirambv]

+2 from https://community.brave.com/t/option-to-set-the-private-tabs-with-tor-as-the-default/27246/3 for Tor always as default

[riastradh-brave]

@nsuchy FYI, the Tor Browser (which is based on Firefox) and Brave both take these steps, and if you find leaks, we're interested to hear issues filed about them.

[riastradh-brave]

Reopened for brave-core: brave/brave-browser#811