Progress Report: Coil Extension + Tor Browser

At Coil, we have recently put a lot of effort into making our extension compatible with Tor Browser such that users that want more advanced privacy features can also support their favorite content creators.

The Tor maximalist may now argue that one should not install any extension on Tor Browser since an extension can introduce privacy vulnerabilities. While this is true in general, we have put a lot of thought into making the open-source Coil extension as privacy-preserving as possible. We just recently launched a blind signature token scheme based on the cryptographic scheme of PrivacyPass to allow our users to stream micropayments without revealing who they are (more details can be found in Ben’s article).

So what prevents the Coil extension from working out of the box in Tor Browser, since it is based on the already supported Firefox Quantum engine? The first problem was the extension’s dependency on IndexedDB. Just like in Firefox Privacy Browsing Mode, IndexedDB is not working in Tor Browser. It is a known bug the Firefox development team is working on. This was an easy fix: We simply disabled the (unused) feature that depended on IndexedDB and witnessed the first successful Web Monetization micropayment in Tor Browser. Unfortunately, some issues still occur:

* The Coil login screen is just blank

* The Coil explore page doesn’t load perfectly

* The Coil extension is stuck in the payment setup stage

* The Coil extension says the user is logged out while s/he is logged in

We are still investigating why this happens. Some issues seem to be related to the interaction between Tor Browser and Cloudflare. While Tor wants to empower their users by granting better privacy, some black sheep are exploiting that feature and conduct illegal activities using the Tor Network. If Cloudflare has noticed suspicious activity from a Tor exit node before, it may either blocklist this node, denying requests to Cloudflare proxied services, or it requests a CAPTCHA to be solved. The Coil extension needs to request JavaScript files, login details, as well as connection tokens from a server that is proxied by Cloudflare. Depending on the current circuit the user is on, their requests are successful or unsuccessful.

We realize that this is a horrible user experience so we are working on a solution, reaching out for help from the teams at Tor and Cloudflare. In the meantime, if the Coil login screen or explore page don’t load correctly, you can reset the Tor circuit and it should work once you have found a “clean” exit node. Enabling web monetization is a bit more tricky. Since the extension resources are only loaded once, when you open the browser, circuit reset does not do the trick. You will have to restart the browser to try again.

Since we at Coil strive to be as privacy conscious as possible, we will continue working on this issue until it is fixed. We will keep you updated!

Thanks to Georg @Tor Browser, Ben, Niq, Tiffany, Dees, and Stefan.