[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #21323 [Applications/Tor Browser]: Activate mixed content blocking



#21323: Activate mixed content blocking
--------------------------------------+------------------------------
 Reporter:  arthuredelstein           |          Owner:  tbb-team
     Type:  defect                    |         Status:  needs_review
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  TorBrowserTeam201701R     |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+------------------------------
Changes (by arthuredelstein):

 * status:  needs_information => needs_review


Comment:

 Replying to [comment:2 gk]:
 > Replying to [ticket:21323 arthuredelstein]:
 > > I'm informed that HTTPS-Everywhere has likely disabled any rules that
 break with mixed content blocking for active content, as suggested in
 https://bugzilla.mozilla.org/show_bug.cgi?id=878890#c20.
 >
 > What does "likely" mean? And where can I find out more about that
 change?

 I think I misspoke here. But I've done some further investigation. I
 searched the HTTPS Everywhere codebase and found 1258/22080 rulesets (5%)
 contain `platform="mixedcontent"` attribute. These run only if active
 mixed content is allowed, as in Tor Browser.

 I had further discussions with legind and I think he makes a pretty good
 argument that we should be blocking active mixed content nonetheless:

 > I think for the sites that will have their rulesets disabled by flipping
 the "mixedcontent" bit, their security will be downgraded a little.  But
 their security is already compromised by the fact that active mixed
 content is being loaded on the page, which seems a huge downside.  And for
 sites that aren't included in HTTPS Everywhere, ensuring active mixed
 content is not loaded on the page is a big win

 Additionally, I think Tor Browser needs to be especially careful about
 this because of the potential for script injection by exit nodes.

 I created a demo page to test loading of mixed content in Tor Browser:
 https://arthuredelstein.github.io/tordemos/mixed-content.html
 Results are as follows:
 * Low Security: Script is loaded and run over http.
 * Medium Security: Script is not loaded (http scripts are blocked by
 NoScript).
 * High Security: Script is not loaded (all scripts are blocked by
 NoScript).

 When using High Security and visiting an https site, I often run into a
 page that is broken without scripts. In that case I will sometimes click
 on the NoScript button and select "Temporarily allow all this page",
 because it seems relatively safe on an https site. But note in this demo,
 doing that results in a script being loaded over http and running.

 So at the very least I think we should be blocking mixed active content at
 High Security, and my feeling is we should probably blocked mixed active
 content at all security levels.

 Potentially, we could also patch HTTPS Everywhere to add a pref that
 enables the `platform="mixedcontent"` rulesets even when active mixed
 content is being blocked. We could enable this pref at Medium and High
 Security for maximum protection.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21323#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs