On Thu, Feb 8, 2018 at 2:09 PM, Arthur D. Edelstein arthuredelstein@gmail.com wrote:
On Thu, Feb 8, 2018 at 12:48 PM Georg Koppen gk@torproject.org wrote:
Wait, I've never said that FPI makes security *worse*. I was arguing against your point that we need FPI in NoScript because that *improves* security:
Oh — I’m sorry — that’s my mistake to have mentioned security there. I’m not sure now why I said that. I actually think FPI is neutral with respect to security, but an important feature for privacy. Apologies.
On further pondering, I can think of one use case where FPI can help with security.
Suppose I am using High Security, and I anonymously visit Stack Overflow. The pages on stackoverflow.com use a copy of jquery.min.js hosted by ajax.googleapis.com, so I decide to unblock that third-party script so the Stack Overflow site works smoothly.
Now suppose, later, I want to log into gmail.com. I fear my government is targeting me, and will instruct Google to serve me an exploit as soon as I am identified by my username. So I decide to leave all scripts disabled on Gmail, as is the default for High Security. But because I previously unblocked ajax.googleapis.com under another first party, I am nonetheless currently exposed to a targeted exploit served by a third-party script from that domain.
In general, login status can affect exploit risk significantly, so allowing blocking decisions to leak between login and non-login sites appears to be a security issue. If we modify NoScript to respect FPI, then that problem is averted.