[tbb-dev] Proposal for redesigning the security controls

Matthew Finkel matthew.finkel at gmail.com
Fri Feb 9 02:09:55 UTC 2018


On Thu, Feb 08, 2018 at 04:32:40PM -0800, Arthur D. Edelstein wrote:
> On Thu, Feb 8, 2018 at 3:08 PM, Arthur D. Edelstein
> <arthuredelstein at gmail.com> wrote:
> 
> > In general, login status can affect exploit risk significantly, so
> > allowing blocking decisions to leak between login and non-login sites
> > appears to be a security issue. If we modify NoScript to respect FPI,
> > then that problem is averted.
> 
> Another variant might be: a government wants to deliver an exploit to
> everyone anonymously visiting a particular (first-party) site, say
> embarrassing-government-secrets.com. They again force a popular CDN
> provider, such as ajax.googleapis.com, to provide the exploit via a
> third-party script for that site specifically. Again, High Security
> users who have already unblocked that CDN under another,
> non-controversial first party such as stackoverflow.com are vulnerable
> in the absence of FPI. So that's an example where the risk of
> unblocking a third-party script depends on the trust a user has in the
> first-party domain.

Although this seems reasonable, I think the web is a lot more
complicated than we like, and it is actually terribly difficult to
reason about.

There was some research conducted[0] in this area recently, here's a
quote[1]:

  Most of the ad tech / analytics industry is premised on keeping not
  just users but also website operators in the dark about privacy
  violations. The effort required by website operators to fully audit
  third parties would negate much of the benefit of offloading tasks to
  them.

[0] https://freedom-to-tinker.com/2018/01/12/website-operators-are-in-the-dark-about-privacy-violations-by-third-party-scripts/
[1] https://twitter.com/random_walker/status/951832450468057088

That followed a short anecdote[2] related to sites including a
third-party script that provided "session replay" records of a users
activity when they visit a webpage.

So the premise that third-parties are trusted differently in different
contexts is not easily measurable. I do find the argument you made more
persuasive when a user identifies themself (through login or some other
method), but it seems like Tor Browser will not always fully protect
its user, no matter what isolation is implemented because the web of
third-party-includes is such a tangled mess. Most likely the only safe
way to use sites at different security levels is through separating the
connections by using New Identity, as you mentioned earlier.


[2]
Worse, in many cases the publisher has no direct relationship with the
offending third-party script. In Part 2 of our study we examined two
third-party scripts which exploit a vulnerability in browsers’ built-in
password managers to exfiltrate user identities. One web developer was
unable to determine how the script was loaded and asked us for help. We
pointed out that their site loaded an ad network (media-clic.com), which
in turn loaded “themoneytizer.com”, which finally loaded the offending
script from Audience Insights. These chains of redirects are ubiquitous
on the web, and might involve half a dozen third parties. On some
websites the majority of third parties have no direct relationship with
the publisher.


More information about the tbb-dev mailing list