[tor-bugs] #5300 [Tor bundles/installation]: TBB shows SSL observatory popup
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Mon Mar 5 20:37:23 UTC 2012
#5300: TBB shows SSL observatory popup
--------------------------------------+-------------------------------------
Reporter: Sebastian | Owner: erinn
Type: defect | Status: new
Priority: major | Milestone:
Component: Tor bundles/installation | Version:
Keywords: | Parent:
Points: | Actualpoints:
--------------------------------------+-------------------------------------
Comment(by pde):
At the moment, HTTPS Everywhere 2.x is configured to show the popup once
to the user, but only if they have torbutton installed in their browser.
Hence the popup that TBB users are seeing. In version 3.x we are planning
to show the popup once to all of our users, regardless of torbutton's
presence, unless someone convinces us that's a bad idea.
If HTTPS E in TBB shouldn't do that, there are a couple of ways to achieve
it. One would be to set the about:config variable
"extensions.https_everywhere._observatory.popup_shown" to true. Another
would be to disable the code [https://gitweb.torproject.org/https-
everywhere.git/blob/HEAD:/src/components/https-everywhere.js#l493 in this
stanza].
Overall, I think that as a matter of individual user security (as opposed
to the general wellbeing of the Internet's crypto infrastructure, which is
a reason to show the popup, or PR with cautious Tor users, which is a
reason not to), you could consider leaving the popup there for TBB users.
It will actually warn them about a growing number of MITM attacks and weak
key problems. The design's privacy properties are quite strong when
TorButton is present.
mikeperry, what do you think?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5300#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list