Opened 4 years ago

Last modified 22 months ago

#10772 assigned defect

Torbutton/Noscript plugin settings ambiguous to user

Reported by: gilidula Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-usability
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Software: Tor Browser 3.5.1
The recent changes to torbutton/torbrowser leave some confusion to the user. Opening the Noscript Options menu, under embeddings, shows that no embedding type is being blocked (i.e. Flash/silverlight/java/other plugins).

Yet, the torbutton claims in documentation to be blocking all plugins. This may lead the user to conclusions that are false.

https://www.torproject.org/projects/torbrowser/design/#DesignRequirements
"Disabling plugins
Plugins have the ability to make arbitrary OS system calls and bypass proxy settings. This includes the ability to make UDP sockets and send arbitrary data independent of the browser proxy settings.

Torbutton disables plugins by using the @mozilla.org/plugin/host;1 service to mark the plugin tags as disabled. This block can be undone through both the Torbutton Security UI, and the Firefox Plugin Preferences.

If the user does enable plugins in this way, plugin-handled objects are still restricted from automatic load through Firefox's click-to-play preference plugins.click_to_play.

In addition, to reduce any unproxied activity by arbitrary plugins at load time, and to reduce the fingerprintability of the installed plugin list, we also patch the Firefox source code to prevent the load of any plugins except for Flash and Gnash. "

Essentially, the design document states that the user should only be able to enable flash, and through the torbutton UI. The noscript UI about embeddings is therefore confusing and redundant. This could cause the user to make false conclusions about the behavior of the browser, compromising their anonymity.

This is the basic problem in user interface design of having two places to change a setting, and it usually indicates a defect in design.

Child Tickets

Change History (4)

comment:1 Changed 4 years ago by gk

Component: TorbuttonTor bundles/installation
Keywords: tbb-usability added; audio video noscript torbutton removed
Owner: set to erinn
Version: Tor: unspecified

comment:2 Changed 4 years ago by cypherpunks

This really isn't an easy fix in terms just putting the checkboxes back on in the prefs. The root issue is that none of those check boxes should be there. The root issue is that noscript has a decent amount of functionality that shouldn't be exposed to the user, because we are already messing with it somewhere else, either in patches or in torbutton, or in prefs--are there also settings we must not let users change that are exposed by noscript?

This ticket maybe should be renamed to "Redundant interfaces in Tor Browser", or something.

So the only solution I really see to this is forking noscript into a "TorScript" somehow. I am no JS person, so I personally wounldn't know how viable this is.

  1. Essentially all that is required is hiding some of the interfaces from the user, and insuring the correct default settings. Requires forking noscript.
  1. Putting all these interfaces into Torbutton. Requires forking noscript.
  1. Not changing this stuff via patches or torbutton, and really let noscript decide--this may not be possible from an anonymity perspective.

Just ideas...

Last edited 4 years ago by cypherpunks (previous) (diff)

comment:3 Changed 4 years ago by erinn

Keywords: needs-triage added

comment:4 Changed 22 months ago by bugzilla

Component: Applications/Tor bundles/installationApplications/Tor Browser
Keywords: needs-triage removed
Owner: changed from erinn to tbb-team
Severity: Normal
Status: newassigned
Note: See TracTickets for help on using tickets.