[tor-bugs] #21323 [Applications/Tor Browser]: Activate mixed content blocking
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri May 26 14:33:53 UTC 2017
#21323: Activate mixed content blocking
-------------------------------------------------+-------------------------
Reporter: arthuredelstein | Owner: tbb-
| team
Type: defect | Status:
| needs_information
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: TorBrowserTeam201705R, | Actual Points:
GeorgKoppen201705 |
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Changes (by gk):
* cc: legind (added)
* status: needs_review => needs_information
Comment:
Replying to [comment:7 arthuredelstein]:
> Replying to [comment:2 gk]:
> > Replying to [ticket:21323 arthuredelstein]:
> > > I'm informed that HTTPS-Everywhere has likely disabled any rules
that break with mixed content blocking for active content, as suggested in
https://bugzilla.mozilla.org/show_bug.cgi?id=878890#c20.
> >
> > What does "likely" mean? And where can I find out more about that
change?
>
> I think I misspoke here. But I've done some further investigation. I
searched the HTTPS Everywhere codebase and found 1258/22080 rulesets (5%)
contain `platform="mixedcontent"` attribute. These run only if active
mixed content is allowed, as in Tor Browser.
>
> I had further discussions with legind and I think he makes a pretty good
argument that we should be blocking active mixed content nonetheless:
>
> > I think for the sites that will have their rulesets disabled by
flipping the "mixedcontent" bit, their security will be downgraded a
little. But their security is already compromised by the fact that active
mixed content is being loaded on the page, which seems a huge downside.
I don't understand that: those 5-6% of sites not being redirected to HTTPS
because the Mixed Content Blocker kicks in means that users are staying
effectively on HTTP pages with all the side effects. Not sure what
"downgraded a little" means in this context. But why is their security
already compromised with HTTPS-Everywhere redirecting *everything* to
HTTPS? The problem here is that the MCB is interfering too early and
basically denying the load not knowing that it would not get delivered as
a HTTP request but an HTTPS one due to HTTPS-Everywhere rewriting it.
Thus, there is no security compromise for those 5-6% of sites in Tor
Browser as there is no active mixed content loaded in the first place.
> > And for sites that aren't included in HTTPS Everywhere, ensuring
active mixed content is not loaded on the page is a big win
In what regard? JS loaded over HTTPS can easily redirect to JS loaded over
HTTP and Firefox will happily execute it as the MCB does *not* kick in in
that case. And that's just one of the problems.
We had this discussion already 4 years ago, see #9196. So my question
would be: What has changed meanwhile so that we should revisit our
decision which Mike summarized in comment:5:ticket:9196:
{{{
Given that our only choices seem to be "disable a ton more rules than we
should", "seriously degrade the user experience of HTTPS-Everywhere
users", and "disable mixed content until it can be done right", I think
the least invasive choice is the third one.
}}}
FWIW: I think what we (or better Mozilla) really should do is fixing the
underlying issue (a.k.a
https://bugzilla.mozilla.org/show_bug.cgi?id=878890 or #13033) which would
avoid the need for us to pick the least bad option out of suboptimal ones.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21323#comment:17>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list