[tor-bugs] #9387 [Tor Launcher]: Tor Launcher/Torbutton should provide a "Security Slider"

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Aug 5 08:05:30 UTC 2013 

#9387: Tor Launcher/Torbutton should provide a "Security Slider"
-----------------------------------------------------+----------------------
 Reporter:  mikeperry                                |          Owner:  brade
     Type:  enhancement                              |         Status:  new  
 Priority:  major                                    |      Milestone:       
Component:  Tor Launcher                             |        Version:       
 Keywords:  tbb-usability, tbb-linkability, tbb-3.0  |         Parent:       
   Points:                                           |   Actualpoints:       
-----------------------------------------------------+----------------------

Comment(by mikeperry):

 Replying to [comment:3 arma]:
 > Replying to [ticket:9387 mikeperry]:
 > >  - Position 0: Current TBB defaults (Most usable)
 > >  - Position 1: Javascript is disabled for all non-https URLS
 >
 > If I'm worried about js as an attack vector, my worries aren't really
 resolved by the website I'm going to getting an ssl cert from somewhere.
 It helps with an attacker in the middle injecting js into http, sure, but
 it doesn't help with similar cases like an attacker modifying http to make
 me fetch some other resource over https and then run its javascript.
 >
 > Are you imagining this as a usability improvement, rather than a
 security thing? Or is there some further trick where we actually only run
 js from an https website when it's the url in our url bar?

 Yes, long-term I want to do the "only load scripts if the url bar is
 https" version of this, but it requires use of APIs we wrote that not yet
 available to NoScript in stock Firefox.

 Shorter term, I still think it's an improvement because it creates an
 additional audit trail of sorts for people who are attacking users.

 > >  - Position 2: HTML5 media and fonts click-to-play/disabled
 >
 > If we can get the interface on this one right, it shouldn't be too much
 of a usability impact, yes? If so I agree that we can/should do it on the
 'more commonly chosen' end of the spectrum.
 >
 > (What is a font click-to-play?)

 "WebFonts" (fonts provided by the web server) will be blocked by NoScript,
 and it will tell you so in its icon so you can enable them.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9387#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list