On Thu, Feb 08, 2018 at 04:32:40PM -0800, Arthur D. Edelstein wrote:
On Thu, Feb 8, 2018 at 3:08 PM, Arthur D. Edelstein arthuredelstein@gmail.com wrote:
In general, login status can affect exploit risk significantly, so allowing blocking decisions to leak between login and non-login sites appears to be a security issue. If we modify NoScript to respect FPI, then that problem is averted.
Another variant might be: a government wants to deliver an exploit to everyone anonymously visiting a particular (first-party) site, say embarrassing-government-secrets.com. They again force a popular CDN provider, such as ajax.googleapis.com, to provide the exploit via a third-party script for that site specifically. Again, High Security users who have already unblocked that CDN under another, non-controversial first party such as stackoverflow.com are vulnerable in the absence of FPI. So that's an example where the risk of unblocking a third-party script depends on the trust a user has in the first-party domain.
Although this seems reasonable, I think the web is a lot more complicated than we like, and it is actually terribly difficult to reason about.
There was some research conducted[0] in this area recently, here's a quote[1]:
Most of the ad tech / analytics industry is premised on keeping not just users but also website operators in the dark about privacy violations. The effort required by website operators to fully audit third parties would negate much of the benefit of offloading tasks to them.
[0] https://freedom-to-tinker.com/2018/01/12/website-operators-are-in-the-dark-a... [1] https://twitter.com/random_walker/status/951832450468057088
That followed a short anecdote[2] related to sites including a third-party script that provided "session replay" records of a users activity when they visit a webpage.
So the premise that third-parties are trusted differently in different contexts is not easily measurable. I do find the argument you made more persuasive when a user identifies themself (through login or some other method), but it seems like Tor Browser will not always fully protect its user, no matter what isolation is implemented because the web of third-party-includes is such a tangled mess. Most likely the only safe way to use sites at different security levels is through separating the connections by using New Identity, as you mentioned earlier.
[2] Worse, in many cases the publisher has no direct relationship with the offending third-party script. In Part 2 of our study we examined two third-party scripts which exploit a vulnerability in browsers’ built-in password managers to exfiltrate user identities. One web developer was unable to determine how the script was loaded and asked us for help. We pointed out that their site loaded an ad network (media-clic.com), which in turn loaded “themoneytizer.com”, which finally loaded the offending script from Audience Insights. These chains of redirects are ubiquitous on the web, and might involve half a dozen third parties. On some websites the majority of third parties have no direct relationship with the publisher.