[tbb-dev] Proposal for redesigning the security controls

Georg Koppen gk at torproject.org
Tue Feb 6 07:05:00 UTC 2018

Tom Ritter:
> On 1 February 2018 at 19:33, Arthur D. Edelstein
> <arthuredelstein at gmail.com> wrote:
>> 1. A current problem we have with NoScript is that it does not respect
>> first-party isolation (FPI), which is both a security and privacy
>> issue. For example, if I set the Security Settings to Medium, and
>> visit youtube.com, and click on the NoScript button to unblock media
>> from YouTube.com, then embedded YouTube videos are now unblocked on
>> all other websites. The same goes for more subtle things like Google
>> Analytics scripts. So I'd propose we try to get FPI working for
>> NoScript unblocking, similar to our enforcement of FPI for Permissions
>> from #21569. That's especially important if we emphasize that controls
>> in the URL bar or the Permissions door-hanger are intended for
>> per-site use.
> Oof, yea NoScript should get FPI treatment.
>> 2. The Security Slider is also quite dangerous if used for per-site
>> purposes. If a user decides they want to visit A.com at "Low" Security
>> and B.com at "High" Security, they have to be very careful not to
>> accidentally expose B.com to "Low" Security. A simple click of the
>> back button could result in a mistake. Or, if the user has multiple
>> tabs or windows open, and they switch the Security Slider, because of
>> the current tab, they apply the new security setting to all open tabs,
>> which could result in accidental unwanted exposure to dangerous
>> content in background tabs.
>> Therefore, I'm wondering if putting the Security Slider on the toolbar
>> might actually increase the danger for some users by encouraging its
>> frequent use. A possibly safer approach could be to display the global
>> Security Slider either embedded in the about:tor page, or in a prompt
>> at startup. That way we can force users to make a one-time decision
>> for the global setting and discourage them from changing it repeatedly
>> while they browse.
>> Yet another approach could be to invoke "New Identity" whenever
>> Security Settings are changed, such that all tabs are closed and a new
>> empty window is opened before the new global setting takes effect. (Of
>> course users would need to be warned and given the option to cancel.)
> Why not make the security slider per-site?  Have a default slider
> setting, and a per-first-party override.
> Glancing things over, engineering-wise it looks like it'd mostly be
> not-that-difficult plumbing. I mean you probably couldn't bang it out
> in a week, but maybe a couple? The hardest part is trying to do it in
> such a way that it becomes upliftable....
> I'm pretty sure this has been discussed before, but I guess I forget
> where the discussion went...

I guess https://trac.torproject.org/projects/tor/ticket/21034 has the
discussion you were looking for.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tbb-dev/attachments/20180206/daaadaf3/attachment-0001.sig>

More information about the tbb-dev mailing list