[tbb-bugs] #30394 [Applications/Tor Browser]: NoScript disabled, fails open!
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat May 4 21:23:26 UTC 2019
#30394: NoScript disabled, fails open!
--------------------------------------+--------------------------
Reporter: cypherpunks | Owner: tbb-team
Type: defect | Status: reopened
Priority: Immediate | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+--------------------------
Changes (by cypherpunks):
* status: closed => reopened
* resolution: duplicate =>
Comment:
Reopening as requested enhancement.
The current software is like an OS that opens all the TCP ports into a
root shell, if the kernel firewall fails to load. No exaggeration: The
browser runs executable code from untrusted network sites.
Tor Browser should start with `javascript.enabled` set to `false` by
default, and only set it to `true` upon successful load of NoScript.
Thanks to other cypherpunks, ticket:30394#comment:4
In the rare event of NoScript failure, is better to have some users
complain "why did the web break?" than expose ''all'' users to risk
covered by a false sense of security.
== Steps to reproduce:
1. Have Mozilla break their PKI (''not hypothetical:'' it happened!)
2. Open Tor Browser
3. Set the "Security Slider" to "High"
4. Enjoy false sense of security while your browser runs arbitrary
executable code from any sites you surf, their ad servers, etc.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30394#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list