[tbb-dev] Proposal for redesigning the security controls

Georg Koppen gk at torproject.org
Thu Feb 8 20:48:00 UTC 2018


Arthur D. Edelstein:
> On Thu, Feb 8, 2018 at 12:41 AM, Georg Koppen <gk at torproject.org> wrote:
> 
>> """
>> What I am trying to say is: making security decisions based on the URL
>> bar domain does not work. The malware from foo.com you are afraid of
>> does not care if there is first-party isolation on or off. It just needs
>> *one way* to get to you. I believe users are aware of that and expecting
>> that a security slider that defends them against that takes this into
>> account.
>> """
> 
> I hear what you're saying here, but I don't think this reasoning
> applies to NoScript as it is actually used in Tor Browser (or any
> similar implementation of per-domain blocking).
> 
> Currently, if I have the global security slider set to Medium or High,
> then I use the NoScript menu to *unblock* resources that were blocked
> by default.  I believe enforcing FPI on such *unblocking* decisions
> will not harm security. That is: if I decide to unblock thirdparty.com
> under A.com, then thirdparty.com will remain blocked under B.com, but
> there is no additional exploit exposure.
> 
> Whereas, with the global security slider at Low Security, everything
> is already unblocked by default, so I don't have a use for the
> NoScript menu. There is no useful way to make per-site *blocking*
> decisions. (Deciding to block content that already ran doesn't protect
> me against exploits!) So, while enforcing FPI on the user's per-domain
> blocking decisions would harm security in principle, such per-domain
> security upgrades aren't practical.
> 
> Therefore, it seems to me that FPI causes no harm to security for real
> use cases, at least for any model like the current one, where users
> choose a global default security level and then make per-site security
> downgrades only (no upgrades). Of course if that's the model we adopt
> going ahead, then the UI could enforce that model better.

Wait, I've never said that FPI makes security *worse*. I was arguing
against your point that we need FPI in NoScript because that *improves*
security:

"""
A current problem we have with NoScript is that it does not respect
first-party isolation (FPI), which is both a *security* and privacy
issue. (emphasis mine)
"""

So, yes, I still think *security* decisions based on the URL bar domain
do not give you the benefit you might intend. Or am I missing here a
scenario where FPI indeed improves security as you claimed?

Georg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tbb-dev/attachments/20180208/f90a0553/attachment.sig>


More information about the tbb-dev mailing list