Commit 8700f923 authored by Tails developers's avatar Tails developers
Browse files

Update the Unsafe Browser's design document.

parent 4e29ab15
......@@ -46,8 +46,10 @@ when started:
0. Iceweasel is configured to use a theme with scary colors (red). To
not raise suspicion the scary theme is not used when Windows
camouflage is activated.
0. Add a small visual cue to "amnesia branding" addon (which will be
the only cue for Windows camouflage users),
0. Set the default navigation bar search engine to English Wikipedia.
This will serve as a visual indicator that the Unsafe Browser is
being used, which will be especially useful when Windows camouflage
is activated since the scary colored theme is disabled.
0. Its start page (locally stored) makes it clear that this is the Unsafe
Browser and explains the issues involved with the Unsafe Browser
and how to proceed from now on.
......@@ -55,14 +57,18 @@ when started:
Security
--------
The Unsafe Browser is run by a separate `clearnet` user, which is
restriced to network access only; access to local services like Tor
etc. are blocked so it cannot interfere with them if compromised.
The Unsafe Browser is run by a separate `clearnet` user, wich is
allowed to make TCP connections to any port, and UDP DNS queries;
access to local services like Tor etc. are blocked so it cannot
interfere with them if compromised. Restricting the TCP ports to
HTTP(S) and DNS only is not done since some captive portals use
non-standard ports. Port restrictions are a pretty weak defense any
way since just *one* open port is enough to do anything.
The Unsafe Browser is run inside a chroot consisting of a throw away
aufs union between a read-only version of the pre-boot Tails
filesystem, and a tmpfs as the rw branch. Hence, the post-boot
filesystem (which contains any user data) isn't available to the
filesystem (which contains all user data) isn't available to the
Unsafe Browser within the chroot. The chroot and aufs union is created
upon Unsafe Browser start, and is torn down after it exits, forcefully
killing any remaining processes run from inside it.
......@@ -73,5 +79,5 @@ restricted for the `clearnet` user). Hence, the reason for using a
chroot is not for that purpose, but for separating its insecure
configuration from the rest of the Tails system. For instance, within
the chroot the DNS server obtained through DNS is configured as the
system resolver, which would be dangerous if it set in the outside
system resolver, which would be dangerous if used in the outside
system.
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment