Re: [tor-bugs] #21034 [Applications/Tor Browser]: Per site security settings?

[Tor Bug Tracker & Wiki]

#21034: Per site security settings?
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:  #20843| Points:
 Reviewer:|Sponsor:
--+--

Comment (by cypherpunks):

 For those interested, gk posted a proposal that seeks to change how
 security controls are shown to the user and that addresses per-site
 security settings: https://lists.torproject.org/pipermail/tbb-
 dev/2018-February/000756.html

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21034 [Applications/Tor Browser]: Per site security settings?

[Tor Bug Tracker & Wiki]

#21034: Per site security settings?
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:  #20843| Points:
 Reviewer:|Sponsor:
--+--

Comment (by arthuredelstein):

 Replying to [comment:22 tom]:
 > I haven't seen any comment about setting persistence, unless I've missed
 it.
 >
 > If you set custom settings for a domain, to persist those settings we'll
 have to record that you visited that domain, persist that to disk, and
 keep it there forever essentially. That's pretty horrible from a privacy
 perspective.

 You're right -- in terms of disk hygiene, that is very undesirable.

 > The alternative is just as bad from the user experience side. Every time
 you open tor Browser, you're going to have to reset your slider settings
 as you visit each of your frequently visited sites.

 Unfortunately, the current deployed UX is already akin to that, but worse.
 Namely, that users on Medium or High security have to whitelist multiple
 scripts or video/audio every time they visit a favorite site. It's more
 complex than a per-site slider.

 But lately I'm inclined to think that #22981, #22982, and #22985 would
 largely mitigate the problems this ticket was intended to address.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21034 [Applications/Tor Browser]: Per site security settings?

[Tor Bug Tracker & Wiki]

#21034: Per site security settings?
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:  #20843| Points:
 Reviewer:|Sponsor:
--+--

Comment (by tom):

 I haven't seen any comment about setting persistence, unless I've missed
 it.

 If you set custom settings for a domain, to persist those settings we'll
 have to record that you visited that domain, persist that to disk, and
 keep it there forever essentially. That's pretty horrible from a privacy
 perspective.

 The alternative is just as bad from the user experience side. Every time
 you open tor Browser, you're going to have to reset your slider settings
 as you visit each of your frequently visited sites.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21034 [Applications/Tor Browser]: Per site security settings?

[Tor Bug Tracker & Wiki]

#21034: Per site security settings?
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:  #20843| Points:
 Reviewer:|Sponsor:
--+--
Changes (by gk):

 * cc: i139 (added)


Comment:

 #22344 has some ideas how to visualize this on an Android phone. (marking
 that one as duplicate)

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21034 [Applications/Tor Browser]: Per site security settings?

[Tor Bug Tracker & Wiki]

#21034: Per site security settings?
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:  #20843| Points:
 Reviewer:|Sponsor:
--+--

Comment (by jonathanfemideer):

 Replying to [comment:18 gk]:
 > Replying to [comment:16 jonathanfemideer]:
 > > Replying to [comment:13 gk]:
 > > > Is it "high" because one said in 1) for foo.com the rule is "high"?
 > >
 > > Again, the answer here is, "No," and again this is because the user is
 viewing, within one tab, content from ''both'' sites.
 >
 > I am confused about that one because reading the other parts of your
 response leads me to assume you meant "Yes". The context of the quote you
 took is the *iframe* and not the whole site. Or did I misunderstand your
 position?

 Good catch! Sorry for my mistake. You are quite right that the context you
 were asking about in the portion of your question that I quoted was the
 '''iframe''' in that tab, not the whole site, the whole page, or the whole
 content of the tab. Let me try again :)

 > > > But for now let's assume we implement this indeed how is the
 implementation supposed to behave in the following scenario:
 > > >
 > > > 0) By default the user is in "medium" mode.
 > > > 1) In tab 1 one has foo.com open. A user does not like to have
 "medium" mode here but says: "For this site I want to have high security
 because I am scared" and adapts that accordingly.
 > > > 2) In tab 2 bar.com is open which is per default (see 0)) above in
 "medium" mode. But bar.com includes an iframe pointing to foo.com.
 > > >
 > > > Now the question is: what are the security settings for stuff loaded
 in the iframe? Is it "medium" because it is embedded in bar.com and
 bar.com is the site you are in contact with?
 > >
 > > The answer here is, "No," because of the false premise, "''bar.com is
 '''the''' site you are in contact with''". This premise is false because
 the user in your example is viewing, within one tab, content from ''both''
 sites.
 > >
 > > > Is it "high" because one said in 1) for foo.com the rule is "high"?
 > >

 The answer here is, "Yes."

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21034 [Applications/Tor Browser]: Per site security settings?

[Tor Bug Tracker & Wiki]

#21034: Per site security settings?
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:  #20843| Points:
 Reviewer:|Sponsor:
--+--

Comment (by mcs):

 I attended a session during the recent Tor meeting where similar issues
 were discussed. For reference, the session notes are here:
 
[https://trac.torproject.org/projects/tor/wiki/org/meetings/2017Amsterdam/Notes/SecuritySliderUsability
 Security Slider Usability Session Notes].

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21034 [Applications/Tor Browser]: Per site security settings?

[Tor Bug Tracker & Wiki]

#21034: Per site security settings?
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:  #20843| Points:
 Reviewer:|Sponsor:
--+--

Comment (by gk):

 Replying to [comment:16 jonathanfemideer]:
 > Replying to [comment:13 gk]:
 >
 >
 > > So, I am inclined to resolve this as `WONTFIX` due to the UX nightmare
 at least.
 >
 > Please don't close this as `WONTFIX`. Let us instead use this bug report
 (or feature request) to figure out how best to meet the desired security
 improvements.
 >
 > Your question below is a great start. Thank you for asing it!
 >
 > > But for now let's assume we implement this indeed how is the
 implementation supposed to behave in the following scenario:
 > >
 > > 0) By default the user is in "medium" mode.
 > > 1) In tab 1 one has foo.com open. A user does not like to have
 "medium" mode here but says: "For this site I want to have high security
 because I am scared" and adapts that accordingly.
 > > 2) In tab 2 bar.com is open which is per default (see 0)) above in
 "medium" mode. But bar.com includes an iframe pointing to foo.com.
 > >
 > > Now the question is: what are the security settings for stuff loaded
 in the iframe? Is it "medium" because it is embedded in bar.com and
 bar.com is the site you are in contact with?
 >
 > The answer here is, "No," because of the false premise, "''bar.com is
 '''the''' site you are in contact with''". This premise is false because
 the user in your example is viewing, within one tab, content from ''both''
 sites.
 >
 > > Is it "high" because one said in 1) for foo.com the rule is "high"?
 >
 > Again, the answer here is, "No," and again this is because the user is
 viewing, within one tab, content from ''both'' sites.

 I am confused about that one because reading the other parts of your
 response leads me to assume you meant "Yes". The context of the quote you
 took is the *iframe* and not the whole site. Or did I misunderstand your
 position?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21034 [Applications/Tor Browser]: Per site security settings?

[Tor Bug Tracker & Wiki]

#21034: Per site security settings?
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:  #20843| Points:
 Reviewer:|Sponsor:
--+--

Comment (by arthuredelstein):

 Replying to [comment:15 gk]:
 > Replying to [comment:14 arthuredelstein]:

 > > When I opened this ticket, I was envisioning the former (sorry this
 wasn't clearly stated). So maybe, strictly speaking, the proposed feature
 should be called "per-first-party security settings" instead of "per-site
 security settings".
 >
 > But the user in my example clearly indicated they want to have foo.com
 in "high" mode. Like clearly, clearly, because they are scared about that
 particular domain. That wish is not dependent on any other site embedding
 foo.com nor on any other site doing so on any security level. What I am
 trying to say is: making security decisions based on the URL bar domain
 does not work. The malware from foo.com you are afraid of does not care if
 there is first-party isolation on or off. It just needs *one way* to get
 to you. I believe users are aware of that and expecting that a security
 slider that defends them against that takes this into account.

 TLDR: I think there are serious problems with the current security slider
 behavior, but I tend to agree that the proposed behavior (per-first-party
 settings) is perhaps too difficult to make clear to the user.
 ---

 I now realize that, implicit in my model is that the user should start in
 default "high" mode and then use "medium" or "low" security on specific
 sites when more usability is needed. With my proposed of a simple drop-
 down attached to the URL bar, it's impossible for the user to raise the
 security of a site before they have already visited! Very similar to
 NoScript's popup menu.

 So let's take your example, but starting in default "high" security (call
 it Example A):

 In general, users don't know, unless they inspect network requests or
 source code, that bar.com sources an evil iframe from foo.com. All they
 can see is "bar.com" in the URL bar.

 In the current Tor Browser, with a global security setting, here's what
 the user does:
 * Set security to High and visit https://foo.com/ --> protected
 * Visit https://bar.com/ and then set security to Medium --> exploited

 If we add a patch that allows per-first-party security setting, the user
 does this:
 * Set default security to high
 * Visit https://foo.com --> protected
 * Visit https://bar.com, and then set bar.com's security to Medium -->
 exploited

 So in Example A, the status quo is just as bad as a per-first-party
 security setting patch. Regardless, bar.com has an undeserved "safe"
 reputation and the user was unfortunately exploited.

 Let me now propose Example B. Suppose another site, baz.com, has a well
 deserved safe reputation. The user wants to visit baz.com and the same
 dangerous foo.com.

 In the current Tor Browser:
 * Set global security to High and visit https://foo.com/ --> protected
 * Visit https://baz.com/ in the same tab, and then lower global security
 to Medium --> safe
 * Click the Back button to return to https://foo.com  --> oops! exploited

 In a browser with proposed patch:
 * Set default security to high
 * Visit https://foo.com --> protected
 * Now visit https://baz.com in the same tab, and then lower baz.com's
 security to Medium --> safe
 * Click the Back button to return to https://foo.com --> still protected

 So in Example B, in current Tor Browser it's too easy for the user to
 forget they need to set the default setting to "High" before clicking the
 back button. And I think the potential for user opsec mistakes could get
 even worse if we implement #21153.

 But despite this argument I am inclined to agree that the semantic
 problems associated with the proposed change are pretty serious. Will the
 user really understand the distinction between per-domain and per-first-
 party-domain security settings? Perhaps not. So I'm not sure how to solve
 this problem.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21034 [Applications/Tor Browser]: Per site security settings?

[Tor Bug Tracker & Wiki]

#21034: Per site security settings?
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:  #20843| Points:
 Reviewer:|Sponsor:
--+--

Comment (by jonathanfemideer):

 Replying to [comment:13 gk]:


 > So, I am inclined to resolve this as `WONTFIX` due to the UX nightmare
 at least.

 Please don't close this as `WONTFIX`. Let us instead use this bug report
 (or feature request) to figure out how best to meet the desired security
 improvements.

 Your question below is a great start. Thank you for asing it!

 > But for now let's assume we implement this indeed how is the
 implementation supposed to behave in the following scenario:
 >
 > 0) By default the user is in "medium" mode.
 > 1) In tab 1 one has foo.com open. A user does not like to have "medium"
 mode here but says: "For this site I want to have high security because I
 am scared" and adapts that accordingly.
 > 2) In tab 2 bar.com is open which is per default (see 0)) above in
 "medium" mode. But bar.com includes an iframe pointing to foo.com.
 >
 > Now the question is: what are the security settings for stuff loaded in
 the iframe? Is it "medium" because it is embedded in bar.com and bar.com
 is the site you are in contact with?

 The answer here is, "No," because of the false premise, "''bar.com is
 '''the''' site you are in contact with''". This premise is false because
 the user in your example is viewing, within one tab, content from ''both''
 sites.

 > Is it "high" because one said in 1) for foo.com the rule is "high"?

 Again, the answer here is, "No," and again this is because the user is
 viewing, within one tab, content from ''both'' sites.

 > If the latter how does one cope with broken sites and the problem that
 one is actually dealing with *sites* and not particular elements embedded
 in it? If the former why do we have per site security settings at all?

 I believe that this feature request is, strictly speaking, wanting Tor
 Browser to have ''per-subdomain'' security settings. The term "site" is
 not well-defined, but subdomain is. (I should have been clearer about this
 in my comment above. Mea culpa.)

 Once that is understood, the rest starts to fall into place. Content
 should be treated according to:

  1. which subdomain it arrived from; and
  1. what the security slider setting is for that subdomain.

 In your example, all content from foo.com (i.e. the stuff that is coming
 into the browser via the iframe, assuming it is all from foo.com) should
 be treated with the "High" setting, meaning that e.g. no JavaScript in
 ''that'' content will be run at all. Likewise, all content from bar.com
 (i.e. the rest of the stuff in that page, assuming it is all from bar.com)
 should be treated with the "Medium" setting, meaning that e.g. any
 JavaScript in there will only be run if it arrived over HTTPS, but even
 so, it will have JavaScript performance optimizations disabled.

 ''Mutatis mutandis'' for all the other criteria that are relevant to the
 High and Medium settings, per the [https://tb-manual.torproject.org/ar
 /security-slider.html Security Slider manual].

 What I am describing here is much like the functionality provided by
 [https://en.wikipedia.org/wiki/NoScript NoScript] or by
 [https://en.wikipedia.org/wiki/UBlock_Origin uBlock Origin]. These both
 allow JavaScript to be blocked by default, and then enabled per-domain by
 the user. These settings apply globally across the browser's tabs.

 (N.B. uBlock Origin also allows the user to select per-subdomain
 ''contexts'' in which to allow a(nother) given subdomain to execute
 scripts, but this complicates the UI somewhat. E.g. I could choose to
 allow `google-analytics.com` to execute within pages from `foo.com` but
 not within pages from `bar.com`. I propose we forget about such fine-
 grained contextual rules for now, to keep the complexity low.)

 Those two add-ons could be a source of inspiration (and code) for Tor
 Browser UX/UI elements with which to implement the desired functionality.
 Probably, the Tor Browser should keep things a bit simpler than those two
 add-ons do, though, to reduce the risk of a user becoming confused and
 misconfiguring their Tor Browser in a way that undermines their security.

 I would suggest that clicking the Torbutton should show, in addition to
 the "Tor circuit for this site" pane, etc, a column of sliders, one for
 each origin subdomain that the page in the current tab is attempting to
 load content from. Using ASCII art with "@" instead of an 

Re: [tor-bugs] #21034 [Applications/Tor Browser]: Per site security settings?

[Tor Bug Tracker & Wiki]

#21034: Per site security settings?
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:  #20843| Points:
 Reviewer:|Sponsor:
--+--

Comment (by gk):

 Replying to [comment:14 arthuredelstein]:
 > Replying to [comment:13 gk]:
 > > So, I am inclined to resolve this as `WONTFIX` due to the UX nightmare
 at least. But for now let's assume we implement this indeed how is the
 implementation supposed to behave in the following scenario:
 > >
 > > 0) By default the user is in "medium" mode.
 > > 1) In tab 1 one has foo.com open. A user does not like to have
 "medium" mode here but says: "For this site I want to have high security
 because I am scared" and adapts that accordingly.
 > > 2) In tab 2 bar.com is open which is per default (see 0)) above in
 "medium" mode. But bar.com includes an iframe pointing to foo.com.
 > >
 > > Now the question is: what are the security settings for stuff loaded
 in the iframe? Is it "medium" because it is embedded in bar.com and
 bar.com is the site you are in contact with? Is it "high" because one said
 in 1) for foo.com the rule is "high"? If the latter how does one cope with
 broken sites and the problem that one is actually dealing with *sites* and
 not particular elements embedded in it? If the former why do we have per
 site security settings at all?
 >
 > When I opened this ticket, I was envisioning the former (sorry this
 wasn't clearly stated). So maybe, strictly speaking, the proposed feature
 should be called "per-first-party security settings" instead of "per-site
 security settings".

 But the user in my example clearly indicated they want to have foo.com in
 "high" mode. Like clearly, clearly, because they are scared about that
 particular domain. That wish is not dependent on any other site embedding
 foo.com nor on any other site doing so on any security level. What I am
 trying to say is: making security decisions based on the URL bar domain
 does not work. The malware from foo.com you are afraid of does not care if
 there is first-party isolation on or off. It just needs *one way* to get
 to you. I believe users are aware of that and expecting that a security
 slider that defends them against that takes this into account.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21034 [Applications/Tor Browser]: Per site security settings?

[Tor Bug Tracker & Wiki]

#21034: Per site security settings?
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:  #20843| Points:
 Reviewer:|Sponsor:
--+--

Comment (by arthuredelstein):

 Replying to [comment:13 gk]:
 > So, I am inclined to resolve this as `WONTFIX` due to the UX nightmare
 at least. But for now let's assume we implement this indeed how is the
 implementation supposed to behave in the following scenario:
 >
 > 0) By default the user is in "medium" mode.
 > 1) In tab 1 one has foo.com open. A user does not like to have "medium"
 mode here but says: "For this site I want to have high security because I
 am scared" and adapts that accordingly.
 > 2) In tab 2 bar.com is open which is per default (see 0)) above in
 "medium" mode. But bar.com includes an iframe pointing to foo.com.
 >
 > Now the question is: what are the security settings for stuff loaded in
 the iframe? Is it "medium" because it is embedded in bar.com and bar.com
 is the site you are in contact with? Is it "high" because one said in 1)
 for foo.com the rule is "high"? If the latter how does one cope with
 broken sites and the problem that one is actually dealing with *sites* and
 not particular elements embedded in it? If the former why do we have per
 site security settings at all?

 When I opened this ticket, I was envisioning the former (sorry this wasn't
 clearly stated). So maybe, strictly speaking, the proposed feature should
 be called "per-first-party security settings" instead of "per-site
 security settings".

 Already, a first-party domain is ultimately responsible for everything
 loaded in a page, including third-party scripts and iframes. And some
 first-party domains are more trustworthy than others.

 For example, I sometimes keep Tor Browser on the "high security" setting
 by default. Sometimes I need to lower the security level for a particular
 HTTPS site because it is otherwise unusable. In that case, I have
 determined that I trust the site not to embed a shady third-party iframe.
 Unfortunately, currently, in order to lower the security setting of that
 site, I need to lower the security setting for all sites. This is
 obviously dangerous and also potentially risks cross-site linking.

 As far as UX is considered, my thinking would be to have security setting
 button next to the URL bar, similar to the NoScript button. The button's
 dropdown menu would have the title "Security setting for this page" with
 the three options (Low, Medium, High). In fact, it might be possible to
 hide the NoScript button altogether, because the "Temporarily allow all
 this page" menu option is more or less redundant in this situation.

 Having a separate content process for each first-party not only would make
 this possibly feasible, but it would also reduce the risk that exploits
 can link one tab to another.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21034 [Applications/Tor Browser]: Per site security settings?

[Tor Bug Tracker & Wiki]

#21034: Per site security settings?
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:  #20843| Points:
 Reviewer:|Sponsor:
--+--

Comment (by gk):

 So, I am inclined to resolve this as `WONTFIX` due to the UX nightmare at
 least. But for now let's assume we implement this indeed how is the
 implementation supposed to behave in the following scenario:

 0) By default the user is in "medium" mode.
 1) In tab 1 one has foo.com open. A user does not like to have "medium"
 mode here but says: "For this site I want to have high security because I
 am scared" and adapts that accordingly.
 2) In tab 2 bar.com is open which is per default (see 0)) above in
 "medium" mode. But bar.com includes an iframe pointing to foo.com.

 Now the question is: what are the security settings for stuff loaded in
 the iframe? Is it "medium" because it is embedded in bar.com and bar.com
 is the site you are in contact with? Is it "high" because one said in 1)
 for foo.com the rule is "high"? If the latter how does one cope with
 broken sites and the problem that one is actually dealing with *sites* and
 not particular elements embedded in it? If the former why do we have per
 site security settings at all?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21034 [Applications/Tor Browser]: Per site security settings?

[Tor Bug Tracker & Wiki]

#21034: Per site security settings?
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:  #20843| Points:
 Reviewer:|Sponsor:
--+--

Comment (by teor):

 Replying to [comment:11 jonathanfemideer]:
 > Replying to [comment:10 teor]:
 > > Replying to [comment:5 jonathanfemideer]:
 > > > N.B. I have not yet encountered any websites that require the
 security level to be set to Low, but perhaps such websites do exist. If
 so, then please consider my request to extend to allowing a per-site
 setting of Low for those websites.
 > >
 > > HTTPS sites that use JavaScript.
 >
 > There are plenty of HTTPS sites that use JavaScript and work just fine
 without the security level needing to be set to Low. This Trac instance,
 for example! And GitHub, and many others.

 Sorry, that was a typo, I meant to write:
 *HTTP* sites that use JavaScript.

 (But, of course, I type HTTPS by default now.)

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21034 [Applications/Tor Browser]: Per site security settings?

[Tor Bug Tracker & Wiki]

#21034: Per site security settings?
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:  #20843| Points:
 Reviewer:|Sponsor:
--+--

Comment (by jonathanfemideer):

 Replying to [comment:10 teor]:
 > Replying to [comment:5 jonathanfemideer]:
 > > N.B. I have not yet encountered any websites that require the security
 level to be set to Low, but perhaps such websites do exist. If so, then
 please consider my request to extend to allowing a per-site setting of Low
 for those websites.
 >
 > HTTPS sites that use JavaScript.

 There are plenty of HTTPS sites that use JavaScript and work just fine
 without the security level needing to be set to Low. This Trac instance,
 for example! And GitHub, and many others.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21034 [Applications/Tor Browser]: Per site security settings?

[Tor Bug Tracker & Wiki]

#21034: Per site security settings?
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:  #20843| Points:
 Reviewer:|Sponsor:
--+--

Comment (by teor):

 Replying to [comment:5 jonathanfemideer]:
 > N.B. I have not yet encountered any websites that require the security
 level to be set to Low, but perhaps such websites do exist. If so, then
 please consider my request to extend to allowing a per-site setting of Low
 for those websites.

 HTTPS sites that use JavaScript.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21034 [Applications/Tor Browser]: Per site security settings?

[Tor Bug Tracker & Wiki]

#21034: Per site security settings?
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:  #20843| Points:
 Reviewer:|Sponsor:
--+--
Changes (by tokotoko):

 * cc: fdsfgs@… (added)


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21034 [Applications/Tor Browser]: Per site security settings?

[Tor Bug Tracker & Wiki]

#21034: Per site security settings?
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:  #20843| Points:
 Reviewer:|Sponsor:
--+--
Changes (by intrigeri):

 * cc: intrigeri (added)


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21034 [Applications/Tor Browser]: Per site security settings?

[Tor Bug Tracker & Wiki]

#21034: Per site security settings?
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:  #20843| Points:
 Reviewer:|Sponsor:
--+--
Changes (by jonathanfemideer):

 * cc: jonathanfemideer (added)


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21034 [Applications/Tor Browser]: Per site security settings?

[Tor Bug Tracker & Wiki]

#21034: Per site security settings?
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:  #20843| Points:
 Reviewer:|Sponsor:
--+--

Comment (by jonathanfemideer):

 Replying to [comment:4 yawning]:
 > I think this falls under the "encourage people to actually change the
 slider off the default" ticket.

 That is a separate problem, IMO. However, letting the user choose per-site
 security settings (i.e. addressing this ticket) could well be the best way
 to solve it.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21034 [Applications/Tor Browser]: Per site security settings?

[Tor Bug Tracker & Wiki]

#21034: Per site security settings?
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:  #20843| Points:
 Reviewer:|Sponsor:
--+--

Comment (by jonathanfemideer):

 **There should be a way for the user to keep the security level at High
 for all sites except for a few specific sites, and to set the latter to
 Medium.**

 In Tor Browser 6.5, this does not seem to be possible. In particular,
 there does not seem to be a way to choose per-site security settings.

 In a ideal world, users would be able to use the "High" setting, and this
 would *just work* on all sites. (Onion > Security Settings > High.)

 However, some websites (e.g. some bug trackers and some webmail clients)
 are built in a way that requires the user to execute some JavaScript. For
 such websites and webmail clients, the only two options seem to be:

 1.Change the browser security settings (Onion > Security Settings >
 Medium).

 2.Click NoScript icon > "Temporarily allow all this page".

 These both have disadvantages. Respectively:

 1.If the user subsequently opens a new tab to visit a different
 website, this will now only be at the Medium security setting instead of
 the High setting, even if this latter website would work fine with the
 High setting. So the user's security gets reduced on the new site,
 unnecessarily. Alternatively, if the user is keeping one or more tabs open
 for the first site, while using other tabs to browse other sites that are
 less trusted or don't require the Medium setting, then the user has to
 keep adjusting the browser security level each time they want to interact
 with the first site in one of those tabs. ''TL;DR: switching tabs
 shouldn't require changing security settings to make the contents of those
 tabs function.''

 2."Temporarily allow all this page" seems to be less secure than the
 Medium security setting. A user might trust a website (or need to use it)
 just enough to be willing to reduce the security level to Medium in order
 to make it function, but no lower than that. "Temporarily allow all this
 page" seems to be more like reducing the security level for that site to
 Low.

 So, to reiterate, there should be a way for the user to set the default
 security level to High, and then to make exceptions on a per-site basis.

 N.B. I have not yet encountered any websites that require the security
 level to be set to Low, but perhaps such websites do exist. If so, then
 please consider my question to extend to allowing a per-site setting of
 Low for those websites.

 (Original discussion: ​https://lists.torproject.org/pipermail/tor-
 talk/2017-March/042982.html )

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21034 [Applications/Tor Browser]: Per site security settings?

[Tor Bug Tracker & Wiki]

#21034: Per site security settings?
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:  #20843| Points:
 Reviewer:|Sponsor:
--+--
Changes (by yawning):

 * parent:   => #20843


Comment:

 I think this falls under the "encourage people to actually change the
 slider off the default" ticket.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21034 [Applications/Tor Browser]: Per site security settings?

[Tor Bug Tracker & Wiki]

#21034: Per site security settings?
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--
Changes (by gk):

 * cc: gk (added)


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21034 [Applications/Tor Browser]: Per site security settings?

[Tor Bug Tracker & Wiki]

#21034: Per site security settings?
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--
Changes (by mcs):

 * cc: brade, mcs (added)


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21034 [Applications/Tor Browser]: Per site security settings?

[Tor Bug Tracker & Wiki]

#21034: Per site security settings?
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--
Changes (by yawning):

 * cc: yawning (added)


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs