[tor-bugs] #9387 [Tor Launcher]: Tor Launcher/Torbutton should provide a "Security Slider"

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Aug 5 06:27:12 UTC 2013


#9387: Tor Launcher/Torbutton should provide a "Security Slider"
-----------------------------------------------------+----------------------
 Reporter:  mikeperry                                |          Owner:  brade
     Type:  enhancement                              |         Status:  new  
 Priority:  major                                    |      Milestone:       
Component:  Tor Launcher                             |        Version:       
 Keywords:  tbb-usability, tbb-linkability, tbb-3.0  |         Parent:       
   Points:                                           |   Actualpoints:       
-----------------------------------------------------+----------------------

Comment(by arma):

 Replying to [ticket:9387 mikeperry]:
 >  - Position 0: Current TBB defaults (Most usable)
 >  - Position 1: Javascript is disabled for all non-https URLS

 If I'm worried about js as an attack vector, my worries aren't really
 resolved by the website I'm going to getting an ssl cert from somewhere.
 It helps with an attacker in the middle injecting js into http, sure, but
 it doesn't help with similar cases like an attacker modifying http to make
 me fetch some other resource over https and then run its javascript.

 Are you imagining this as a usability improvement, rather than a security
 thing? Or is there some further trick where we actually only run js from
 an https website when it's the url in our url bar?

 >  - Position 2: HTML5 media and fonts click-to-play/disabled

 If we can get the interface on this one right, it shouldn't be too much of
 a usability impact, yes? If so I agree that we can/should do it on the
 'more commonly chosen' end of the spectrum.

 (What is a font click-to-play?)

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9387#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list