Arthur D. Edelstein:
On Wed, Feb 7, 2018 at 4:18 AM, Georg Koppen gk@torproject.org wrote:
While preparing the proposal I tried to read up on all the older discussions we had about how to improve the design of our security controls. In particular, in your last comment on #21034 you seemed to be thinking that we could largely avoid doing what you are suggesting above by addressing the tickets you mentioned there (and probably more). That's actually part of the proposal as written (see section 3.3). So, I am a bit curious whether you changed your mind and if so to hear about new arguments.
My original thinking for #21034 was to try to address two problems: (1) The set of options exposed by NoScript is complex. (2) Users may be trying to use the (global) security slider for individual sites. I have. :( As I sort of mentioned in that comment in #21034, I think #22981 (enabling video/audio on HTTPS sites for Medium security) will be particularly helpful for these two problems by making it rarely necessary for users at Medium Security to make adjustments via NoScript or the security slider. But, on the other hand, if we decide against #22981, then I think #21034 remains important.
Also, since I wrote that comment, I have realized there is a another problem: (3) NoScript does not respect FPI. so I do lean more toward some kind of solution for #22981 again.
Each of (1), (2), and (3) have different possible solutions. For me, a per-site security toggle seems to be the cleanest solution to all three issues. But of course there are many possible alternatives that would solve these issues to varying degrees.
[snip] After all you allowed it in the first place in any context and hence in this particular site context as well.
Can you explain what you mean by this? I'm not sure I understand it.
That referred to the current way NoScript works: You are allowing, say WebGL, for domain foo.com in a first party context because you think, okay, WebGL on that domin is safe. But that automatically allows WebGL in other contexts, e.g. third-party iframes where foo.com gets loaded which are embedded in bar.com.
And to be honest I think that model makes perfect sense, which is why I think the argument that we need FPI for NoScript from a *security* POV is not a good one. I had this in https://trac.torproject.org/projects/tor/ticket/21034#comment:15. Let me quote the relevant part:
""" What I am trying to say is: making security decisions based on the URL bar domain does not work. The malware from foo.com you are afraid of does not care if there is first-party isolation on or off. It just needs *one way* to get to you. I believe users are aware of that and expecting that a security slider that defends them against that takes this into account. """
So, FPI is a good means for dealing with cross-site tracking because there it matters whether you are in a third party context or not but if you want to defend yourself against getting exploited by content served from a particular domain first or third party context is not relevant.
That leaves the argument of FPI for NoScript due to privacy reasons. I am not sure I understand that one yet.
To recap: First of all the slider is a security tool and not a privacy tool. This is a deliberate decision: we want to give every Tor Browser user the same privacy guarantees and don't want to mix privacy with security functionality in the slider. Some users want to adjust their security mode according to their threat model which is why we have the slider to begin with. And in order to defend against fingerprinting due to different settings there are different slider levels with the idea that there are always enough folks on each of those levels to make this fingerprinting vector a non-issue. NoScript is helping us with that by normalizing the fingerprint you get when you are on different levels. But that's it privacy-wise what NoScript does.
Now, a user making exceptions for particular domains and particular active content is already exposing themselves to tracking because they are leaving one of the slider levels. So, I guess you suggest to not stop the privacy problem but just to make it a bit less bad with FPI of NoScript as far as the privacy argument is concerned?
Georg