[tor-bugs] #30413 [Applications/Tor Browser]: Notification Bar to warn about
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon May 6 17:49:49 UTC 2019
#30413: Notification Bar to warn about
-------------------------+------------------------------------------
Reporter: flowerpt | Owner: tbb-team
Type: enhancement | Status: new
Priority: Medium | Component: Applications/Tor Browser
Version: | Severity: Normal
Keywords: | Actual Points:
Parent ID: #30388 | Points:
Reviewer: | Sponsor:
-------------------------+------------------------------------------
Please warn with a notification bar if xpinstall.signatures.required is
set to false.
This setting was recommended by the blog for users affected by #30388 .
Such users are somewhat likely to forget to toggle it back to true, which
could be a potential attack vector.
Quoted from comment 43 there:
> > Since the blog asked people to "Please remember to" re-enable
security, and that's the kind of thing which is the bane of security when
it comes to ordinary users, can a subsequent release please force this
back to 'false' and alert the user if the flip is made?
> >
> > It's better to have people need to toggle it again than to leave
people unintentionally unguarded. I realize both options are sub-optimal,
but "fail safe" is better than "fail dangerous". Without such a change,
it's very likely that some users will go on forever set to not validate
addons - the typical user pattern is "fix it and forget it".
> >
> >
> >
> Replying to flowerpt:
>
> I don't think we can do that as our decisions don't overwrite user
prefs. We could think about showing a notification bar, though, reminding
the users of that problem and allow them to flip the pref back easily that
way.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30413>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list