[tor-bugs] #22089 [Applications/Tor Browser]: Add Decentraleyes to slighten off a bit Exit traffic and work around some CDNs blocking of Tor

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun Jan 12 17:52:34 UTC 2020 

#22089: Add Decentraleyes to slighten off a bit Exit traffic and work around some
CDNs blocking of Tor
-------------------------------------------------+-------------------------
 Reporter:  imageverif                           |          Owner:  tbb-
                                                 |  team
     Type:  enhancement                          |         Status:
                                                 |  needs_review
 Priority:  Medium                               |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tbb-usability-website, tbb-          |  Actual Points:
  performance                                    |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by cypherpunks):

 Replying to [comment:25 cypherpunks]:
 > Replying to [comment:22 gk]:
 > > I am not convinced yet this is worth the effort. comment:18 is a good
 start, we should think about expanding it. E.g. there are clear security
 downsides in the sense that a new extension added to Tor Browser means a
 new attack vector and we would need to spend a considerable amount of time
 to review the code every new release contains and as we want to get away
 from automatic extensions updates anyway we would start to monitor
 upstream libraries for security fixes to the locally shipped libraries.
 That could easily result in quite some effort from our side...
 > There's already a
 [https://git.synz.io/Synzvato/decentraleyes/tree/master/audit script] that
 does this automatically for you:
 >
 > > This audit script allows any user and extension reviewer to verify the
 integrity of the bundled resources. It automatically, and transparently,
 compares all bundled libraries to their original sources.
 > >
 > > https://git.synz.io/Synzvato/decentraleyes/tree/master/audit
 >
 > Running it once before every release doesn't sound too bad.
 Authenticity of bundled scripts is not the only security concern I think.
 Bugs or features incompatible with Tor's objectives could be introduced in
 the extension, but that is true of Firefox also and he is much bigger
 beast, so I think it's not good reason to not include decentraleyes or
 similar feature.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22089#comment:26>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list