Opened 5 months ago

Last modified 5 months ago

#22809 new defect

Tor Browser does not provide red security warning for downloading executable in HTTP

Reported by: naif Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: ux-team
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

This ticket is to enhance Tor Browser that today does not provide red security warning for downloading executable in HTTP in clear text that can be easy subject to MITM attacks.

Actually there's a ticket sitting on Mozilla Firefox to implement exactly that https://bugzilla.mozilla.org/show_bug.cgi?id=1303739 .

The very same should apply for mixed content where from an HTTPS website there's download of executable from an HTTP resource.

Attached the standard warning provided by Firefox that does not explain to the end-user how risky is the download of an executable over HTTP in clear.

Child Tickets

Attachments (1)

Screen Shot 2017-07-04 at 11.28.28.png (435.4 KB) - added by naif 5 months ago.
Download of an executable over an insecure HTTP channel

Download all attachments as: .zip

Change History (4)

Changed 5 months ago by naif

Download of an executable over an insecure HTTP channel

comment:1 Changed 5 months ago by cypherpunks

Component: - Select a componentApplications/Tor Browser
Keywords: ux-team added
Owner: set to tbb-team

comment:2 Changed 5 months ago by arma

The best order of operations here would be for Firefox to fix its bug, and merge the fix, and then we can get the fix when we pull in a future version of Firefox.

Another option is, if there is a good patch but Firefox won't take it or it will be years until we pull in the version of Firefox that includes it, that we could apply the patch to Tor Browser directly, and maintain it until things catch up with the Firefox releases.

But I am unclear on why we should single out exe files here. In the mozilla bugtracker, you mention rpm and deb files too. Why not tarballs also? Or docx files? Where do we draw the line?

comment:3 Changed 5 months ago by naif

As per definitions of exe or rpm or tarballs, we could probably define "any installer file that can be executed on the target machine" and that could be a list of content-type and extensions.

Ive been told that Firefox UX team is very busy with the new major releases, so they will not be going to work on it soon.

A good patch on Firefox from Tor Project would probably be the fastest solution, that could in turn go back to Firefox as "ready made" .

That's something I'm going to bid and look forward to support financially and functionally for the implementation as I'm finding out that there are too many software being delivered over HTTP, target of malware infection appliance, and the only way to work around it is to have browser to warn or block that downloads (probably doing a sort of "securethe.news" but for software distribution security).

Last edited 5 months ago by naif (previous) (diff)
Note: See TracTickets for help on using tickets.