[tbb-dev] Proposal for redesigning the security controls

[Arthur D. Edelstein]

On Thu, Feb 8, 2018 at 2:09 PM, Arthur D. Edelstein
<arthuredelstein at gmail.com> wrote:
>
> On Thu, Feb 8, 2018 at 12:48 PM Georg Koppen <gk at torproject.org> wrote:
>
>> Wait, I've never said that FPI makes security *worse*. I was arguing
>> against your point that we need FPI in NoScript because that *improves*
>> security:
>
> Oh — I’m sorry — that’s my mistake to have mentioned security there. I’m not
> sure now why I said that. I actually think FPI is neutral with respect to
> security, but an important feature for privacy. Apologies.

On further pondering, I can think of one use case where FPI can help
with security.

Suppose I am using High Security, and I anonymously visit Stack
Overflow. The pages on stackoverflow.com use a copy of jquery.min.js
hosted by ajax.googleapis.com, so I decide to unblock that third-party
script so the Stack Overflow site works smoothly.

Now suppose, later, I want to log into gmail.com. I fear my government
is targeting me, and will instruct Google to serve me an exploit as
soon as I am identified by my username. So I decide to leave all
scripts disabled on Gmail, as is the default for High Security. But
because I previously unblocked ajax.googleapis.com under another first
party, I am nonetheless currently exposed to a targeted exploit served
by a third-party script from that domain.

In general, login status can affect exploit risk significantly, so
allowing blocking decisions to leak between login and non-login sites
appears to be a security issue. If we modify NoScript to respect FPI,
then that problem is averted.