[tor-bugs] #25879 [HTTPS Everywhere]: HTTPS Everywhere control panel is broken when JavaScript is turned off

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun Apr 22 13:37:18 UTC 2018 

#25879: HTTPS Everywhere control panel is broken when JavaScript is turned off
------------------------------+------------------------
 Reporter:  cypherpunks       |          Owner:  (none)
     Type:  defect            |         Status:  new
 Priority:  Medium            |      Milestone:
Component:  HTTPS Everywhere  |        Version:
 Severity:  Normal            |     Resolution:
 Keywords:  javascript        |  Actual Points:
Parent ID:                    |         Points:
 Reviewer:                    |        Sponsor:
------------------------------+------------------------

Comment (by cypherpunks):

 >> I have HTTPS Everywhere in my toolbar. I also have an old addon called
 JS Switch that turns off JavaScript at the about:config level, it's just a
 toggle for that config option.
 \\
 > Torbutton does the same.
 \\
 Sure. The Button makes for fewer steps. Most of the time I restrict all
 JavaScript.
 \\
 >>Whenever I've used it (or the about:config option directly) to turn off
 JavaScript, HTTPS Everywhere, Privacy Badger, and AdBlock Plus are all
 unable to display their toolbar menus properly or at all. In the case of
 HTTPS Everywhere and Privacy Badger, the menu balloon appears with a few
 words, but most of the words are missing and some of the toggles. The few
 toggles that remain are non functional.
 \\
 > That's a dangerous game you're doing, Privacy Badger and AdBlock Plus
 would make you easily fingerprintable? Also doesn't Privacy Badger record
 all the websites that you visited so that its algorithm works?
 \\
 Not relevant to the bug. Just to answer your question:

 ''This particular'' setup isn't meant to blend the fingerprint, and I'll
 repeat what many users have said over the years, that if TBB had its own
 blockers for ads, tracking, and cross-site requests we wouldn't have to
 install addons to do so. Resistance to the penetration forced by trackers,
 ads, and cross-site requests is every bit as important as anonymity for
 security, in many cases more so.

 If I was interested in blending in completely, I'd just allow my data to
 be collected like everyone else's. At that point the TBB becomes useful
 for only an extremely narrow use case, that being a totally average,
 exposed, and susceptible session which just happens to appear to be online
 at the same location as the exit node. In that mode the TBB is powerful
 pretty much only for very careful espionage and clandestine file transfer.
 Without a few key addons, it does not protect average daily traffic in any
 way other than to trivially (for modern forensics) complicate the trail.
 If I login to my banking site, for instance, with JavaScript permissions
 active, there are easy ways to use it aside from IP to determine origin.

 Furthermore, Privacy Badger is made by EFF just like HTTPS Everywhere, and
 while they do different things, if I as a user can't expect two addons
 made by the same organization, who partners with the Tor project to the
 point that they share a bug tracker, then the whole system is broken and
 there isn't hope for anyway.

 TL;DR, please don't introduce irrelevant conversations to the report.
 \\
 >> Is this some new fallout from the move to WebExtensions?
 \\
 > Are you sure that you have the latest Tor Browser release? I can't
 reproduce this with Safest security setting in the Torbutton.
 \\
 Absolutely certain. All addons and the browser are latest. Also, please
 try turning off JavaScript in about:config just in case you're wrong
 somehow that they work the same.

 Poking into it further, I've realized that the most pronounced effect
 happens when the browser is restarted with JavaScript either on or off.
 Shutting off JavaScript, then restarting the browser, results in text
 balloons for HTTPS Everywhere and AdBlock Plus that are crippled for the
 duration of the session.

 Privacy Badger is actually less affected, after the restarted session, if
 JavaScript is toggled on again, it will function.

 Once JavaScript is turned back on, if the browser is restarted, on start
 every text balloon has functionality restored.

 All of these details are hopefully useful, but don't address **why**
 about:config JavaScript settings affect these addons at all, and the
 question stands whether the new WebExtension API is actually less secure
 than the old XUL in that it has some kind of tied requirements to
 JavaScript for sites :/

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/25879#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list