[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #10464 [Tor bundles/installation]: TBB3.5's NoScript allows addons.mozilla.org even when scripts are globally forbidden

Subject: Re: [tor-bugs] #10464 [Tor bundles/installation]: TBB3.5's NoScript allows addons.mozilla.org even when scripts are globally forbidden
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Sun, 22 Dec 2013 07:46:54 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sun, 22 Dec 2013 02:46:58 -0500
In-reply-to: <045.7f5b28b694f6227ec8b8e712972cfe51@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <045.7f5b28b694f6227ec8b8e712972cfe51@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#10464: TBB3.5's NoScript allows addons.mozilla.org even when scripts are globally
forbidden
------------------------------------------+-------------------
     Reporter:  torar                     |      Owner:  erinn
         Type:  defect                    |     Status:  new
     Priority:  major                     |  Milestone:
    Component:  Tor bundles/installation  |    Version:
   Resolution:                            |   Keywords:
Actual Points:                            |  Parent ID:
       Points:                            |
------------------------------------------+-------------------

Comment (by arma):

 So the clear bug is that we whitelist http://a.m.o and we should totally
 fix that.

 The harder tradeoff apparently is that if we allow https://a.m.o then a
 bad guy who can get an ssl cert can still give you javascript. But if we
 *don't* allow https://a.m.o, then if the user installs a new addon,
 Firefox won't check its integrity at all.

 It seems to me that 'Forbid scripts globally' is crystal clear about what
 you've asked it to do.

 Is there a way to warn a user who has javascript disabled and tries to
 install a new addon?

 If the user goes to about:config and turns javascript off manually, does
 this mean they no longer check integrity of new addons? (For added
 excitement, the new addons are fetched via http, because that's just how
 Firefox works.)

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10464#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

References:
- [tor-bugs] #10464 [Tor bundles/installation]: A security bug in NoScript in Tor Browser Bundle
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #10453 [Tor bundles/installation]: Mikeperry's TBB3.5 GPG signature is bad
Next by Author: Re: [tor-bugs] #10453 [Tor bundles/installation]: Mikeperry's TBB3.5 GPG signature is bad
Previous by thread: Re: [tor-bugs] #10464 [Tor bundles/installation]: TBB3.5's NoScript allows addons.mozilla.org even when scripts are globally forbidden
Next by thread: Re: [tor-bugs] #10464 [Tor bundles/installation]: TBB3.5's NoScript allows addons.mozilla.org even when scripts are globally forbidden
Index(es):
- Author
- Thread