Opened 12 months ago

Closed 12 months ago

Last modified 12 months ago

#27277 closed defect (wontfix)

I got a message in TorBrowser asking me to Approve new permissions

Reported by: Dbryrtfbcbhgf Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I got a message in TorBrowser asking me to Approve new permissions. Here is a
https://s22.postimg.cc/hlbe2zx9d/Screen_Shot_2018-08-22_at_5.34.02_PM.png
TorBrowser 8.0a10

Child Tickets

Change History (6)

comment:1 Changed 12 months ago by Dbryrtfbcbhgf

This message may be scary for end users, making it sound like it could possible compromise them.

comment:2 Changed 12 months ago by gk

That's happening in a vanilla Firefox as well. I am not convinced we should override this mechanism. At least not before hearing Mozilla's rationale for doing so.

comment:3 Changed 12 months ago by legind

It looks like adding the ability to block FTP requests when the "Block all unencrypted requests" option is checked triggered this warning: https://github.com/EFForg/https-everywhere/issues/16377#issuecomment-415492846. This is really unintuitive from the warning itself, and in my opinion Firefox should change that wording - it only serves to discourage security-conscious people from using the extension. I apologize for this unexpected and frightening warning.

comment:4 Changed 12 months ago by legind

Why this is showing up in the alpha channel and not in the ESR-based stable channel is explained here:

https://www.linkedin.com/pulse/firefox-add-on-permission-fail-ari-trachtenberg

comment:5 Changed 12 months ago by gk

Resolution: wontfix
Status: newclosed

Thanks for the pointers, legind, much appreciated. I guess there is nothing we can do here from the Tor Browser side (at least not in this particular case). If you file a bug at Mozilla's bug tracker, I'd be happy to get CCed, thanks!

comment:6 Changed 12 months ago by traumschule

It's fine to ask but bad to not show the changelog or .xpi fingerprint:

2018.8.22
  * Adding a warning to pages which 'Block all unencrypted requests' is unable to upgrade
  * Adding a UX that enables users to add, delete, and edit update channels
  * Reduces memory overhead by optimizing exclusion regex
  * Block insecure FTP connections when 'Block all unencrypted requests' is checked
  * Bundled ruleset updates

With this update users (or scripts) can add new update channels. Not necessarily a good thing.

Note: See TracTickets for help on using tickets.