[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #30394 [Applications/Tor Browser]: NoScript disabled, fails open!

To: undisclosed-recipients: ;
Subject: Re: [tor-bugs] #30394 [Applications/Tor Browser]: NoScript disabled, fails open!
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Sat, 04 May 2019 21:23:26 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sat, 04 May 2019 17:23:37 -0400
In-reply-to: <051.45d9d840073b443ef316c2b57af2d898@torproject.org>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <051.45d9d840073b443ef316c2b57af2d898@torproject.org>
Reply-to: no-reply@xxxxxxxxxxxxxx, tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#30394: NoScript disabled, fails open!
--------------------------------------+--------------------------
 Reporter:  cypherpunks               |          Owner:  tbb-team
     Type:  defect                    |         Status:  reopened
 Priority:  Immediate                 |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------
Changes (by cypherpunks):

 * status:  closed => reopened
 * resolution:  duplicate =>


Comment:

 Reopening as requested enhancement.

 The current software is like an OS that opens all the TCP ports into a
 root shell, if the kernel firewall fails to load. No exaggeration: The
 browser runs executable code from untrusted network sites.

 Tor Browser should start with `javascript.enabled` set to `false` by
 default, and only set it to `true` upon successful load of NoScript.

 Thanks to other cypherpunks, ticket:30394#comment:4

 In the rare event of NoScript failure, is better to have some users
 complain "why did the web break?" than expose ''all'' users to risk
 covered by a false sense of security.

 == Steps to reproduce:

 1. Have Mozilla break their PKI (''not hypothetical:'' it happened!)
 2. Open Tor Browser
 3. Set the "Security Slider" to "High"
 4. Enjoy false sense of security while your browser runs arbitrary
 executable code from any sites you surf, their ad servers, etc.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30394#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

References:
- [tor-bugs] #30394 [Applications/Tor Browser]: NoScript disabled, fails open!
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #30372 [Applications/Tor Browser]: Backport Letterboxing
Next by Author: Re: [tor-bugs] #30024 [Applications/Tor Browser]: Objective 2, Activity 3: Notify users if a current website they are visiting on Tor Browser has an onion service version
Previous by thread: Re: [tor-bugs] #30394 [Applications/Tor Browser]: NoScript disabled, fails open!
Next by thread: Re: [tor-bugs] #30394 [Applications/Tor Browser]: NoScript disabled, fails open!
Index(es):
- Author
- Thread