[tor-bugs] #21418 [- Select a component]: New Tor Browser http response header, for high security websites

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Feb 8 18:07:24 UTC 2017


#21418: New Tor Browser http response header, for high security websites
--------------------------------------+-----------------
     Reporter:  micahlee              |      Owner:
         Type:  defect                |     Status:  new
     Priority:  Medium                |  Milestone:
    Component:  - Select a component  |    Version:
     Severity:  Normal                |   Keywords:
Actual Points:                        |  Parent ID:
       Points:                        |   Reviewer:
      Sponsor:                        |
--------------------------------------+-----------------
 When someone uses Tor Browser to load a SecureDrop website, if javascript
 is enabled, it recommends that they disable it. But at the moment, there
 are some big UX problems with how it's done: It's a big scary red warning
 that's displayed to nearly all users, and the instructions are out-of-date
 (they tell you to disable JS using NoScript instead of the Tor Browser
 security settings slider). Overall, it's scary and confusing, and tells
 _everyone_ to jump through hoops.

 Here's some of the discussion about this on the SecureDrop issue tracker:
 https://github.com/freedomofpress/securedrop/issues/1566

 The rationale behind telling users to disable javascript is because the
 SecureDrop server itself is part of the threat model. If someone
 successfully hacks a SecureDrop server, they can then serve Tor Browser
 exploits to all of its users to deanonymize them (similar to the Freedom
 Hosting attack), and high security mode reduces this attack service a lot.

 I'd like to propose a new custom http response header that Tor Browser
 watches for: `X-Tor-High-Security: 1`. If you load a website with this
 header set, no matter what the Tor Browser security slider is currently
 set to, it should treat that tab as if the slider were set to high.

 This would also be very useful for anyone running websites where they
 include themselves in the threat model, such as Tor-based email providers.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21418>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list