[tbb-dev] Proposal for redesigning the security controls

Arthur D. Edelstein arthuredelstein at gmail.com
Thu Feb 8 20:16:59 UTC 2018 

On Thu, Feb 8, 2018 at 12:41 AM, Georg Koppen <gk at torproject.org> wrote:

> """
> What I am trying to say is: making security decisions based on the URL
> bar domain does not work. The malware from foo.com you are afraid of
> does not care if there is first-party isolation on or off. It just needs
> *one way* to get to you. I believe users are aware of that and expecting
> that a security slider that defends them against that takes this into
> account.
> """

I hear what you're saying here, but I don't think this reasoning
applies to NoScript as it is actually used in Tor Browser (or any
similar implementation of per-domain blocking).

Currently, if I have the global security slider set to Medium or High,
then I use the NoScript menu to *unblock* resources that were blocked
by default.  I believe enforcing FPI on such *unblocking* decisions
will not harm security. That is: if I decide to unblock thirdparty.com
under A.com, then thirdparty.com will remain blocked under B.com, but
there is no additional exploit exposure.

Whereas, with the global security slider at Low Security, everything
is already unblocked by default, so I don't have a use for the
NoScript menu. There is no useful way to make per-site *blocking*
decisions. (Deciding to block content that already ran doesn't protect
me against exploits!) So, while enforcing FPI on the user's per-domain
blocking decisions would harm security in principle, such per-domain
security upgrades aren't practical.

Therefore, it seems to me that FPI causes no harm to security for real
use cases, at least for any model like the current one, where users
choose a global default security level and then make per-site security
downgrades only (no upgrades). Of course if that's the model we adopt
going ahead, then the UI could enforce that model better.

> Now, a user making exceptions for particular domains and particular
> active content is already exposing themselves to tracking because they
> are leaving one of the slider levels. So, I guess you suggest to not
> stop the privacy problem but just to make it a bit less bad with FPI of
> NoScript as far as the privacy argument is concerned?

I think the lack of FPI in NoScript can be a significant detriment to
privacy. And it breaks our general FPI policy that users expect. With
FPI, the harm from departing from a slider level will be very minimal
because it doesn't permit cross-site tracking. What remains is only a
very weak tracking of users by their behavior across return visits to
the same site.

More information about the tbb-dev mailing list