Opened 2 years ago

Closed 2 years ago

#18944 closed defect (wontfix)

Remove block-malicious-sites-checkbox on TLS error page

Reported by: gk Owned by: gk
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: ff45-esr, TorBrowserTeam201605, GeorgKoppen201605, tbb-6.0-must
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

If a secure connection failed the error page contains a checkbox stating "Report errors like this to help Mozilla identify and block malicious sites". We don't want to do this.

Child Tickets

Change History (6)

comment:1 Changed 2 years ago by cypherpunks

Because... of privacy...?? Or because any MITM is likely not taking place near the site or its network? When you get MITMed, easily telling someone who can potentially take action about it is a useful feature. In Tor Browser's case the people to tell are those on the relevant list, optionally separated from other messages to that list in case of high volume or low quality.

comment:2 Changed 2 years ago by cypherpunks

Of course this should only ever be conspicuously manual, never automatic. And not every MITM will be Tor-related.

comment:3 Changed 2 years ago by gk

The first thing is We are not in the business of identifying and blocking malicious sites. We actually disabled that feature. Second, I see no reason why Mozilla should gather data related to a Tor Browser user. Third, this message is highly confusing in our context. Say, an exit node is MITMing a user. Why should the user report that to Mozilla in order to identify and block malicious sites? What is Mozilla supposed to do with that information?

We can think about ways to deal with MITM attacks in Tor Browser but that would be another ticket and would need at least a repurposed checkbox.

comment:4 Changed 2 years ago by gk

Keywords: GeorgKoppen201605 added
Owner: changed from tbb-team to gk
Status: newassigned

comment:5 Changed 2 years ago by gk

Keywords: tbb-6.0-must added

comment:6 in reply to:  3 Changed 2 years ago by gk

Resolution: wontfix
Status: assignedclosed

Replying to gk:

The first thing is We are not in the business of identifying and blocking malicious sites. We actually disabled that feature.

Looking closer that is not related to the Safebrowsing malware protection (which I assumed and which was the reason for filing this ticket). In ESR38 this checkbox is already existing although deeper buried and the whole thing is working slightly differently. I guess we leave it as-is for now then but file a ticket to get Mozilla out of the loop. That might even help detecting bad relays.

Second, I see no reason why Mozilla should gather data related to a Tor Browser user. Third, this message is highly confusing in our context. Say, an exit node is MITMing a user. Why should the user report that to Mozilla in order to identify and block malicious sites? What is Mozilla supposed to do with that information?

We can think about ways to deal with MITM attacks in Tor Browser but that would be another ticket and would need at least a repurposed checkbox.

This is #19119.

Note: See TracTickets for help on using tickets.