[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #30388 [Applications/Tor Browser]: NoScript and all user-installed add-ons got deactivated! (armagadd-on-2.0)
#30388: NoScript and all user-installed add-ons got deactivated! (armagadd-on-2.0)
-------------------------------------------------+-------------------------
Reporter: cypherpunks | Owner: tbb-
| team
Type: task | Status:
| needs_review
Priority: Immediate | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Blocker | Resolution:
Keywords: AffectsTails, TorBrowserTeam201905R | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by cypherpunks):
With apologies for the bugspam when devs are trying to ship an emergency
fix - users really need a better workaround than disabling signature
checks on add-ons, but also not to fall for security confusion!
Replying to [comment:34 doomeinow]:
> While toggling JavaScript to false with about:config disables
JavaScript, things like HTML5 are still enabled, which means things like
processor "speculative execution" vulnerabilities still exist (Meltdown,
Foreshadow, Spectre).
IIUC, all known speculative execution vulnerabilities require JavaScript.
Perhaps you may be confused because JavaScript is loosely included in the
marketspeak branding-term "HTML5".
Anyway, as its name suggests, what NoScript does is mostly to disable or
filter JavaScript. Setting `javascript.enabled` to `false` should provide
a strict superset of the same functionality, ''except that'' (as I noted
above) NoScript may also disable some other potentially high-risk features
such as web fonts or audio/video media. Disabling JavaScript will indeed
disable all the worst attack surfaces; anything else seems comparatively
lower risk, in my opinion. In today's browsers, even HTML/CSS are not
risk-free.
I think that raising the Security Slider disables ''some'' dangerous
features by directly changing the config, but I am not sure; on the other
hand, I think that it does rely on NoScript to disable fonts and media
(again, not sure).
Information from Tor Browser developers would be helpful.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30388#comment:36>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs