[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #7085 [Tor bundles/installation]: Integrate Cryptocat Browser Extension into Tor Browser Bundle
#7085: Integrate Cryptocat Browser Extension into Tor Browser Bundle
--------------------------------------+-------------------------------------
Reporter: kaepora | Owner: erinn
Type: enhancement | Status: new
Priority: normal | Milestone: TorBrowserBundle 2.2.x-stable
Component: Tor bundles/installation | Version: Tor: unspecified
Keywords: | Parent:
Points: | Actualpoints:
--------------------------------------+-------------------------------------
Comment(by mikeperry):
Unfortunately, putting Cryptocat into the default TBB is not zero
cost/zero risk. Here's a list of things that would make me feel better
about the decision.
First and foremost, I'd want to be absolutely sure that it didn't
potentially expose even users who didn't use it to XUL XSS bugs or other
vulnerabilities. Related. I'd want to be sure the UI didn't confuse or
distract users who didn't know what it was for.
Second, I am very concerned that there were XUL XSS bugs in the chat
windows. To me, that's a bad sign. Ideally, I'd like to see something on
your side (ie a tag in your bugtracker or some other document you wrote)
that enumerates the patches that resulted from your first audit.
Third, while it does look like the audit was extremely thorough, I think
I'd prefer a second one for this reason. XUL XSS is quite serious, and
since you're writing a network-facing app with lots of user and network
provided content, its critical that your code receives lots of this type
of review. I also want to feel sure you understand the issues and
vulnerability vectors here, so I can be confident they won't reappear in
future versions as you add features.
Fourth, I guess I am mildly concerned about the crypto security. I don't
believe it's impossible to do crypto with JS, but I would prefer it if the
underlying primitive implementations also had a chance for review,
especially since our inclusion of this addon would probably be seen as
endorsement of its crypto and security by many.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7085#comment:26>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs