[tbb-dev] Proposal for redesigning the security controls

Georg Koppen gk at torproject.org
Thu Feb 8 08:41:00 UTC 2018

Arthur D. Edelstein:
> On Wed, Feb 7, 2018 at 4:18 AM, Georg Koppen <gk at torproject.org> wrote:
>> While preparing the proposal I tried to read up on all the older
>> discussions we had about how to improve the design of our security
>> controls. In particular, in your last comment on #21034 you seemed to be
>> thinking that we could largely avoid doing what you are suggesting above
>> by addressing the tickets you mentioned there (and probably more).
>> That's actually part of the proposal as written (see section 3.3). So, I
>> am a bit curious whether you changed your mind and if so to hear about
>> new arguments.
> My original thinking for #21034 was to try to address two problems:
>   (1) The set of options exposed by NoScript is complex.
>   (2) Users may be trying to use the (global) security slider for
> individual sites. I have. :(
> As I sort of mentioned in that comment in #21034, I think #22981
> (enabling video/audio on HTTPS sites for Medium security) will be
> particularly helpful for these two problems by making it rarely
> necessary for users at Medium Security to make adjustments via
> NoScript or the security slider. But, on the other hand, if we decide
> against #22981, then I think #21034 remains important.
> Also, since I wrote that comment, I have realized there is a another problem:
>   (3) NoScript does not respect FPI.
> so I do lean more toward some kind of solution for #22981 again.
> Each of (1), (2), and (3) have different possible solutions. For me, a
> per-site security toggle seems to be the cleanest solution to all
> three issues. But of course there are many possible alternatives that
> would solve these issues to varying degrees.
>> [snip] After all you allowed it in the first place in any context
>> and hence in this particular site context as well.
> Can you explain what you mean by this? I'm not sure I understand it.

That referred to the current way NoScript works: You are allowing, say
WebGL, for domain foo.com in a first party context because you think,
okay, WebGL on that domin is safe. But that automatically allows WebGL
in other contexts, e.g. third-party iframes where foo.com gets loaded
which are embedded in bar.com.

And to be honest I think that model makes perfect sense, which is why I
think the argument that we need FPI for NoScript from a *security* POV
is not a good one. I had this in
https://trac.torproject.org/projects/tor/ticket/21034#comment:15. Let me
quote the relevant part:

What I am trying to say is: making security decisions based on the URL
bar domain does not work. The malware from foo.com you are afraid of
does not care if there is first-party isolation on or off. It just needs
*one way* to get to you. I believe users are aware of that and expecting
that a security slider that defends them against that takes this into

So, FPI is a good means for dealing with cross-site tracking because
there it matters whether you are in a third party context or not but if
you want to defend yourself against getting exploited by content served
from a particular domain first or third party context is not relevant.

That leaves the argument of FPI for NoScript due to privacy reasons. I
am not sure I understand that one yet.

To recap: First of all the slider is a security tool and not a privacy
tool. This is a deliberate decision: we want to give every Tor Browser
user the same privacy guarantees and don't want to mix privacy with
security functionality in the slider. Some users want to adjust their
security mode according to their threat model which is why we have the
slider to begin with. And in order to defend against fingerprinting due
to different settings there are different slider levels with the idea
that there are always enough folks on each of those levels to make this
fingerprinting vector a non-issue. NoScript is helping us with that by
normalizing the fingerprint you get when you are on different levels.
But that's it privacy-wise what NoScript does.

Now, a user making exceptions for particular domains and particular
active content is already exposing themselves to tracking because they
are leaving one of the slider levels. So, I guess you suggest to not
stop the privacy problem but just to make it a bit less bad with FPI of
NoScript as far as the privacy argument is concerned?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tbb-dev/attachments/20180208/0817f70b/attachment-0001.sig>

More information about the tbb-dev mailing list