[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #9454 [TorBrowserButton]: Torbrowser shouldn't load any plugins if user didn't changed security settings

To: undisclosed-recipients:;
Subject: Re: [tor-bugs] #9454 [TorBrowserButton]: Torbrowser shouldn't load any plugins if user didn't changed security settings
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Thu, 15 Aug 2013 16:00:27 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 15 Aug 2013 12:00:41 -0400
In-reply-to: <051.7e4d7cfb4dd2bc673bd4f129d5c4db83@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <051.7e4d7cfb4dd2bc673bd4f129d5c4db83@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#9454: Torbrowser shouldn't load any plugins if user didn't changed security
settings
------------------------------+---------------------------------------------
 Reporter:  cypherpunks       |          Owner:  mikeperry
     Type:  defect            |         Status:  new      
 Priority:  normal            |      Milestone:           
Component:  TorBrowserButton  |        Version:           
 Keywords:                    |         Parent:           
   Points:                    |   Actualpoints:           
------------------------------+---------------------------------------------

Comment(by cypherpunks):

 Replying to [ticket:9454 cypherpunks]:
 > plugin was loaded to browser's address space already.

 It's not how a Gecko Plug-in works. https://developer.mozilla.org/en-
 US/docs/Gecko_Plugin_API_Reference/Plug-
 in_Basics#Understanding_the_Runtime_Model

 No any code loaded in to memory till it required, according this document.
 It's absolutely safe to enumerate any system-wide installed plug-ins as
 long as Torbutton disables plug-in with exist code. If any code can bypass
 Torbutton protections then it can bypass Torbutton entirely and do even
 worse things than it.

 The only concern may keep is monitoring of plug-in existence in add-ons
 list. But that is paranoia on a basis of insufficient information.

 I suggest to close this bug as wontfix or notabug.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9454#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

References:
- [tor-bugs] #9454 [TorBrowserButton]: Torbrowser shouldn't load any plugins if user didn't changed security settings
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #9391 [Website]: PT TBBs out-of-date
Next by Author: Re: [tor-bugs] #4773 [Tor]: Implement Extended OR port (part of proposal 180)
Previous by thread: Re: [tor-bugs] #9454 [TorBrowserButton]: Torbrowser shouldn't load any plugins if user didn't changed security settings
Next by thread: Re: [tor-bugs] #9454 [TorBrowserButton]: The nsIPluginTag Interface was changed, Torbutton is broken for next Firefox ESR (was: Torbrowser shouldn't load any plugins if user didn't changed security settings)
Index(es):
- Author
- Thread