[tor-bugs] #26529 [Applications/Tor Browser]: TBA - Notify user about possible proxy-bypass before opening external app

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat Oct 19 20:39:51 UTC 2019


#26529: TBA - Notify user about possible proxy-bypass before opening external app
-------------------------------------------------+-------------------------
 Reporter:  sysrqb                               |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:
                                                 |  needs_information
 Priority:  High                                 |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tbb-mobile, tbb-torbutton, tbb-      |  Actual Points:
  proxy-bypass, TBA-a3, tbb-8.5, tbb-parity,     |
  TorBrowserTeam201910                           |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
                                                 |  Sponsor8
-------------------------------------------------+-------------------------
Changes (by gk):

 * keywords:
     tbb-mobile, tbb-torbutton, tbb-proxy-bypass, TBA-a3, tbb-8.5, tbb-
     parity, TorBrowserTeam201910R
     =>
     tbb-mobile, tbb-torbutton, tbb-proxy-bypass, TBA-a3, tbb-8.5, tbb-
     parity, TorBrowserTeam201910
 * status:  needs_review => needs_information


Comment:

 Looks good to me. I've applied the patch to `tor-browser-68.2.0esr-9.5-1`
 (commit 6dc05e67cdbbb0a74f2c24387a3ea7443e08b57c).

 Two things I am unsure about:
 1)
 {{{
  * launches a file during private browsing. The dialog appears to notify
 the user that a clicked
  * link will open in an external application, potentially leaking their
 browsing history.
  */
 }}}
 That's not the same as explaining possible proxy bypass/anonymity losses.
 We spent quite some time trying to get the message right for desktop. Do
 we want to do that as well in this case?

 2) Are we confident we have caught all possible issues here? There seems
 to be a variety of potentially problematic code paths.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26529#comment:17>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list