Security/Contextual Identity Project/Containers: Difference between revisions

lightweight persistent profiles that isolate sites from one another

Warning: This is just a draft proposal of how contextual identities might be implemented in Firefox

Mock-up of what this might look like

Description

Linux containers all share the same kernel but they have different process/networking/filesystem namespaces. Similarly, browser containers share the same browser profile and process but have different cookie/storage namespaces.

When a user creates a new container, the browser opens a new window that's visually different from the other ones and that window has a different appid [1]. When that window is closed, all of the data related to the container's main origin is retained, but the rest is cleared (e.g. a Facebook container will keep Facebook cookies to preserve the session, but it will clear all non-Facebook cookies to reduce tracking).

[1] The AppID key is linked to cookie jars, local storage, indexedDB, HTTP auth cache, HTTP data cache. It is NOT linked with history, bookmarks or addons.

Benefit for users

• It allows user to log into any sites that doesn’t support multiple logins. Similar to how the Google account switcher works, but for any account on the web.
  • Problem: It's ridiculous that you have to open multiple profiles or private windows just to sign into different accounts on the same web site.
  • Problem: Just use two different browsers. Firefox is my main browser and I have Chrome for when I need to log onto a different account.
  • Story: I'm a university student and my year is divided into 15 groups. Each group has got their common Gmail account to use as forum/place to upload our presentations etc. I either have to log in and log out every time I want to change class, or use another browser.
  • Story: There are many reasons why users would choose to have more than one eBay account. For example, users who like to buy and sell may want separate accounts for each activity. Other users who maintain businesses on eBay may prefer to manage separate accounts for different product lines. Whether you have one account or more, eBay expects users to manage each of their accounts effectively in order to meet the highest buyer and seller standards.
• It’s tracking protection by any other means
  • I need to be logged into Facebook because that's how I communicate with friends and family but I don't want Facebook to track me all over the web through the Like buttons.
• It isolates sites and makes CSRF (one-click attack) impossible.
  • If a user opens their online banking site in a container, an attacker won't be able to exploit a CSRF vulnerability on the bank website by tricking them into clicking a link on Facebook because when the user clicks that link and navigates to facebook.com they won't have a session with Facebook.

Benefit for developers

• A web developer can easily test their website by being logged in as different users at the same time.
  • For example, they can test a learning management system (e.g. Moodle) by having three containers: teacher, student, admin.
  • I work at a technology company which primarily focuses on our website. Being able to view the site with a fresh set of cookies this easily is awesome. We use incognito mode currently, but that has the limitation of each tab/window sharing one set of incognito cookies.

Site-specific Containers

Previously, our idea was to tie persistent containers to bookmarks and have a per-origin container. The way this works is by adding a new setting on the bookmark interface that, when activated, would force the browser to open Twitter in its own container. Internally the container would probably be named after the origin of the site being bookmarked.

To access this, when you type twitter.com in the URL bar, the bookmark will be picked up and the "contained" bookmark used instead.

Alternatively, when you navigate to twitter.com, the browser could show a ribbon at the top that says: "hey, you normally open this in a container, would you like to do this now?" with a button to close the tab and open a new container window.

One nice thing about tying containers to bookmarks is that we know what origin the container is meant for. This means we can clear all non-Twitter cookies for example. We can only do this for containers that are isolated to a site, because for long-term tasks (e.g., shopping for a mortgage) may desire long-lived tracking cookies.

Since then, we recognised a few problems with per-origin containers:

• When I sign out of a site, will that site-specific container disappear?
• The website I signed into saves a whole bunch of cookies that are outside of its origin. How will the browser know that these out-of-origin cookies are associated with a specific site container?
• As written above, some long-term tasks involve tying together multiple services that needed to be connected to each other

To address this problem, we proposed a very simple model of purpose-specific containers.

Purpose-specific Containers

• Firefox comes with a set of containers that, through user research, our users will likely need and benefit from:
  • Personal (to use at home)
  • Work (to use at the office)
  • Banking (for accessing sites with financial or sensitive informations)
  • Shopping (for accessing ecommerce sites)
  • Custom (for future versions)
• Through naming and onboarding, we gently encourage users to use different containers for different purposes, as separation limits tracking and improves security
• A purpose-specific container can have many sites in it:
  • The Personal container can be signed into Outlook, Facebook and Twitter. Work can have Outlook, Facebook and Twitter, too.
  • The Banking container can be signed into your bank, insurance, accounting and investing websites
  • The Shopping container can be a place for Amazon, Alibaba, and other stores

Behaviors

By creating containers, we also create a notion of sites that exists outside of a container. This necessitates a few behaviors when you navigate from inside a container:

Manually-invoked navigation:

• Right click menu will have two additional options
  • Open Link in New Tab (this opens the link in the same container)
  • Open Link Outside of This Container (this opens the link outside of the container)
  • In future versions, we’d like the ability to open link in a specific containers
• Command-clicking a link will open that link in a new tab in the same container

Site-invoked navigation:

• window.open always open in the same container as the site that opened it, so as not to break single sign-on

Making containers look different

Each container could have a different:

• Name: on location bar
• Icon: on tab and location bar
• Color: on tab and location bar

Discovering the feature

For v1, this feature is discoverable via the File menu. However, on Windows, the File menu is hidden until the user hits the Alt key. As a potential solution, the Containers menu could be added as an item under the ‘Hamburger’ menu on the right side of the toolbar.

Containers are not promoted front and center for a reason. Through user research, we’ve found that most people have only one account per website, and that they don’t separate their online selves into work/home/banking/etc. Making the Containers interface accessible via an icon on the toolbar means adding one more icon to Firefox. It means more visual distraction and perception of bloat. y keeping this feature accessible under a menu item, we ensure that only users who need it will discover it.

Before this iteration, we’ve thought of a few other places to surface this feature. Some of these places were found to be more relevant to the Universal Account Switcher project.

• Offered at the same time as "would you like to save this password?"
• Right-clicking on a tab to turn it into a "container". Similar to how we do pinned tabs, but containers would open in a new window.
• "File" | "New container" (and the equivalent "New container" button in the hamburger menu)
• New button in the URL bar in the webdev edition (aurora)
• Detect users logging in and out of a service like Twitter that doesn't have support for multiple logins, and offer the feature to them.

Related work

• Firefox add-ons:
  • Switchy
  • Priv8
  • Multifox
  • CookieSwap
  • ProfileSwitcher
  • Profilist
• Chrome extensions:
  • Swap-my-cookies
• IE10 Browsing Sessions
• App Isolation: Get the Security of Multiple Browsers with Just One (Chromium prototype)
• "One session per window" feature request on Bugzilla