[tbb-bugs] #21323 [Applications/Tor Browser]: Activate mixed content blocking

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri May 26 14:33:53 UTC 2017

#21323: Activate mixed content blocking
 Reporter:  arthuredelstein                      |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:
                                                 |  needs_information
 Priority:  Medium                               |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  TorBrowserTeam201705R,               |  Actual Points:
  GeorgKoppen201705                              |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
Changes (by gk):

 * cc: legind (added)
 * status:  needs_review => needs_information


 Replying to [comment:7 arthuredelstein]:
 > Replying to [comment:2 gk]:
 > > Replying to [ticket:21323 arthuredelstein]:
 > > > I'm informed that HTTPS-Everywhere has likely disabled any rules
 that break with mixed content blocking for active content, as suggested in
 > >
 > > What does "likely" mean? And where can I find out more about that
 > I think I misspoke here. But I've done some further investigation. I
 searched the HTTPS Everywhere codebase and found 1258/22080 rulesets (5%)
 contain `platform="mixedcontent"` attribute. These run only if active
 mixed content is allowed, as in Tor Browser.
 > I had further discussions with legind and I think he makes a pretty good
 argument that we should be blocking active mixed content nonetheless:
 > > I think for the sites that will have their rulesets disabled by
 flipping the "mixedcontent" bit, their security will be downgraded a
 little.  But their security is already compromised by the fact that active
 mixed content is being loaded on the page, which seems a huge downside.

 I don't understand that: those 5-6% of sites not being redirected to HTTPS
 because the Mixed Content Blocker kicks in means that users are staying
 effectively on HTTP pages with all the side effects. Not sure what
 "downgraded a little" means in this context. But why is their security
 already compromised with HTTPS-Everywhere redirecting *everything* to
 HTTPS? The problem here is that the MCB is interfering too early and
 basically denying the load not knowing that it would not get delivered as
 a HTTP request but an HTTPS one due to HTTPS-Everywhere rewriting it.
 Thus, there is no security compromise for those 5-6% of sites in Tor
 Browser as there is no active mixed content loaded in the first place.

 > > And for sites that aren't included in HTTPS Everywhere, ensuring
 active mixed content is not loaded on the page is a big win

 In what regard? JS loaded over HTTPS can easily redirect to JS loaded over
 HTTP and Firefox will happily execute it as the MCB does *not* kick in in
 that case. And that's just one of the problems.

 We had this discussion already 4 years ago, see #9196. So my question
 would be: What has changed meanwhile so that we should revisit our
 decision which Mike summarized in comment:5:ticket:9196:
 Given that our only choices seem to be "disable a ton more rules than we
 should", "seriously degrade the user experience of HTTPS-Everywhere
 users", and "disable mixed content until it can be done right", I think
 the least invasive choice is the third one.

 FWIW: I think what we (or better Mozilla) really should do is fixing the
 underlying issue (a.k.a
 https://bugzilla.mozilla.org/show_bug.cgi?id=878890 or #13033) which would
 avoid the need for us to pick the least bad option out of suboptimal ones.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21323#comment:17>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list