[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #28174 [Applications/Tor Browser]: Block non-.onion subresources on .onion websites?

To: undisclosed-recipients: ;
Subject: Re: [tor-bugs] #28174 [Applications/Tor Browser]: Block non-.onion subresources on .onion websites?
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Thu, 25 Oct 2018 20:59:51 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 25 Oct 2018 17:00:01 -0400
In-reply-to: <055.0609c8bba79d0398bdf27869a24fd6ca@torproject.org>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <055.0609c8bba79d0398bdf27869a24fd6ca@torproject.org>
Reply-to: no-reply@xxxxxxxxxxxxxx, tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#28174: Block non-.onion subresources on .onion websites?
--------------------------------------+--------------------------
 Reporter:  arthuredelstein           |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------

Comment (by tom):

 I think there are two constituents here: The onion server, and the Browser
 user.

 Our primary goal should be to serve the browser user.

 Where it's easy and simple, we can serve the onion server. But these
 suggestions are not comprehensive, and Tor Browser will never be a
 comprehensive onion audit tool. I would instead advocate for improving the
 tool onionscan https://onionscan.org/ where it is possible (although that
 also, cannot be comprehensive...)


 Focusing on the browser user, I think it's fair to treat any non-onion
 resource as Mixed Content on an onion, regardless of HTTP/HTTPS status.
 There are three levels of Mixed Content Blocking:
  - None
  - Active (blocks scripts, allows images)
  - Full (blocks scripts and images)

 There's also the security slider. I would suggest that when the security
 slider is at High, we perform Full blocking. It provides a smaller attack
 surface for the browser user.

 When the slider is not at High; I would advocate for either Active or Full
 Blocking. Probably Active.


 * I personally would ignore the situation of a HTTPS onion including from
 a HTTP onion and give this no special treatment (that is to say it's fine,
 and it loads fine.)

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28174#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

References:
- [tor-bugs] #28174 [Applications/Tor Browser]: Block non-.onion subresources on .onion websites?
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #28097 [Core Tor/Tor]: Get the actual Windows version from Kernel32.dll
Next by Author: [tor-bugs] [Tor Bug Tracker & Wiki] Batch modify: #27690
Previous by thread: [tor-bugs] #28174 [Applications/Tor Browser]: Block non-.onion subresources on .onion websites?
Next by thread: Re: [tor-bugs] #28174 [Applications/Tor Browser]: Block non-.onion subresources on .onion websites?
Index(es):
- Author
- Thread