The second of three proposals.
This one basically stops the user from copying a cryptocurrency address to the clipboard if the address was delivered in a way the exit node could have tempered with it.
-tom
We discussed this at the monthly Tor/Mozilla meeting.
Nick suggested we think more critically about ways this can be bypassed. For example, the website could change the address to a QR code, requiring the user to scan it with their phone. Even if we detected QR codes, they could build a QR code out of carefully placed <div> elements.
We think the proposal still has value, but it's definitely lessened. Arthur expressed interest in potentially putting it into Firefox.
We also investigated, and discovered that this feature appears like it could be built entirely using Web Extension APIs[0], meaning it could be built for Tor Browser and Firefox simultaneously, as well as integrate nicely with Firefox's past experimentation approach.
-tom
[0] On Firefox at least; I don't think Chrome exposes an API to get the page's TLS certificate
On Thu, 7 Mar 2019 at 05:40, Tom Ritter tom@ritter.vg wrote:
The second of three proposals.
This one basically stops the user from copying a cryptocurrency address to the clipboard if the address was delivered in a way the exit node could have tempered with it.
-tom