Re: [tor-bugs] #7085 [Tor bundles/installation]: Integrate Cryptocat Browser Extension into Tor Browser Bundle

["Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>]

#7085: Integrate Cryptocat Browser Extension into Tor Browser Bundle
--------------------------------------+-------------------------------------
 Reporter:  kaepora                   |          Owner:  erinn                        
     Type:  enhancement               |         Status:  new                          
 Priority:  normal                    |      Milestone:  TorBrowserBundle 2.2.x-stable
Component:  Tor bundles/installation  |        Version:  Tor: unspecified             
 Keywords:                            |         Parent:                               
   Points:                            |   Actualpoints:                               
--------------------------------------+-------------------------------------

Comment(by kaepora):

 Replying to [comment:26 mikeperry]:

 I should also say something about your opening paragraphs:

 > Unfortunately, putting Cryptocat into the default TBB is not zero
 cost/zero risk. Here's a list of things that would make me feel better
 about the decision.

 This is totally understood and agreed upon. I would really like to see
 Cryptocat included in TBB because of the benefits and the opportunity to
 deal with interesting problems, but I also quite aware of the risk and I
 plan to be very serious about addressing any issues or questions that may
 crop up. I don't think this kind of technology moves forward unless we
 push hard, but pushing hard comes with risk assessment and keeping both
 eyes opened and I fully acknowledge that.

 > First and foremost, I'd want to be absolutely sure that it didn't
 potentially expose even users who didn't use it to XUL XSS bugs or other
 vulnerabilities. Related. I'd want to be sure the UI didn't confuse or
 distract users who didn't know what it was for.

 From an engineering perspective, I strongly do not believe that the plugin
 can expose even users who don't use it to XSS bugs. This is because unless
 activated, the only code that the plugin loads is the toolbar button, the
 addonbar button and the menu item. Clicking on any of these buttons
 launches a new tab which loads an HTML page inside. Everything happens
 inside that tab with no further interaction with Firefox internals except
 for a one-time seeding of the CSPRNG (using nsslib hooks.)  From this
 perspective, the plugin is very simple and it seems to me that it is very
 difficult for it to cause problems to those that do not use it.

 Concerning the issue of UI confusion, we've tried to make the purpose of
 our plugin as clear and concise as possible
 ([http://i.imgur.com/1wmepA2.png screenshot]). I should also mention that
 it's available in 32 languages.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7085#comment:28>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs