[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #28174 [Applications/Tor Browser]: Block non-.onion subresources on .onion websites?
#28174: Block non-.onion subresources on .onion websites?
--------------------------------------+--------------------------
Reporter: arthuredelstein | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+--------------------------
Comment (by tom):
Replying to [comment:2 gk]:
> If I understand it right then what you want is to defend against the
*privacy* risks Arthur outlined by using the *security* slider. If that's
the case then I am not convinced by that idea yet as we don't want to mix
security and privacy related settings in the slider.
Nooo, I keep the delineation in mind. I said "when the security slider is
at High, perform Full blocking" specifically for security reasons.
An attacker wants to compromise a user who visits foo.onion. foo.onion
includes an image from example.com. (HTTP or HTTPS, doesn't matter.)
Instead of compromising foo.onion, the attacker compromises either
example.com or the connection from the exit node to example.com and serves
an exploit on a passive piece of content (like an image.)
Performing full blocking removes this attack surface.
Now you said
> We block *features* based on code execution vulnerabilities in the past,
not based on transport
I hadn't heard the bit about transport before. Perhaps you disagree with
me based on that. But I'm confused then: At Medium, why is JS disabled on
HTTP sites? Isn't that blocking a feature based on transport?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28174#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs