Opened 3 weeks ago

Closed 3 weeks ago

Last modified 3 weeks ago

#31016 closed defect (wontfix)

Limited (and partially wrong) advice in documentation. Consider uBlock Origin and uMatrix extensions.

Reported by: cypherpunks Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

https://trac.torproject.org/projects/tor/wiki/org/teams/CommunityTeam/Support_discuss#CanIinstallanewadd-onorextensioninTorBrowserlikeAdBlockPlusoruBlockOrigin says:

It’s strongly discouraged to install new add-ons in Tor Browser, because they can compromise both your privacy and your security. Plus, Tor Browser already comes installed with two add-ons — HTTPS Everywhere and NoScript — which give you a lot of added protection.

However this is a limited and (in the case of uBlock Origin and uMatrix) pretty irrelevant advice because:

  1. HTTPS-E and NoScript lack important functionality which uMatrix and uBO have. Example: blocking 3rd party requests can be critical to enhancing privacy.

OTOH

  1. uMatrix and uBO can fully block JavaScript (which makes NoScript unnecessary) and uM can block mixed content.
  1. HTTPS-E is pretty much a meaningless extension because it attempts to provide a workaround for websites which are not configured properly. IOW it may create a false sense of security by potentially enforcing HTTPS which may not be configured properly by the website owners. Additionally it has a privacy issue too as it needs connection to a particular host to update its lists.

Please consider working with gorhill to use uBO and uMatrix instead of HTTPS-E and NoScript.

Child Tickets

Change History (2)

comment:1 Changed 3 weeks ago by gk

Resolution: wontfix
Status: newclosed

We are not in the blocking business of 3rd party requests for privacy reasons and don't plan to do so. And there are no plans to replace HTTPS-E and NoScript with both extensions.

comment:2 Changed 3 weeks ago by cypherpunks

You are answering only the second part of the report.
The first one remains: the advice in the documentation is wrong/limited.

Note: See TracTickets for help on using tickets.