Flash does not work with TBB 2.2.36-1
A user reports that he is unable to view flash content with TBB 2.2.36-1 after enabling plugins by going into the Torbutton Preferences->Security Settings->Dynamic Content tab and unchecking "Disable plugins during Tor usage" box.
I tried this myself and I am not able to view videos on sites such as dailymotion.com and break.com.
Activity
I thought we already had a support ticket describing this somewhere already. You need to click that checkbox then restart TBB. Then all you need to do is click through the NoScript placeholders.
You can also dig through the Tools->Addons->Plugins menu and click the enable button for flash. That is what Torbutton toggles to disable it.
-
FYI: This should only be done for testing sandboxes and the like.
Since we dropped BetterPrivacy, flash basically directly deanonymizes you to ad networks through shared flash cookies with your normal browser. Also, simply enabling it exposes your flash version and OS platform to Javascript for fingerprinting, even if you don't click the NoScript placeholders to play flash apps. Then of course there's proxy bypass from running flash itself.
Replying to mikeperry:
I thought we already had a support ticket describing this somewhere already. You need to click that checkbox then restart TBB. Then all you need to do is click through the NoScript placeholders.
We have this on https://www.torproject.org/torbutton/torbutton-faq.html.en#noflash, but it does not work. I have clicked the checkbox, restarted TBB, clicked through the NoScript placeholders and ... nothing. Please try it?
Replying to mikeperry:
I did try what I specified, in fact. It worked fine on osx. What OS are you trying it on?
Three users with Windows (version unknown at this point) have reported it, I have tested with Debian Wheezy (and flash works just fine in other browsers). Did you try dailymotion.com and break.com?
Also, I did not have to do any of the NoScript stuff from that FAQ entry. It might be outdated and/or overgeneralized?
I have never had to do any of that NoScript stuff myself. I usually just click on the video frame and ok the box that pops up.
-
This is dangerous territory, then.. I mean, sure, we could sink some time into debugging the specifics of why a particular platform version can't shoot themselves in the foot, but unless the outcome of that is that people will find ways to make it safe, I don't think we care :/.
I also think it's likely that anybody who is capable of making this safe for themselves can probably solve this bug for us.
So my recommendation is not to worry about it. I know that might make the rabble a bit noisy. Sorry :/.
Trac:
Type: defect to enhancement
Status: new to assigned
Owner: erinn to cypherpunks
Component: Tor bundles/installation to TorBrowserButton -
Did I just block this thing from ever getting solved? I'm not sure if I created a catch-22 above or not.
To be clear: If you actually do experience this bug, we need more information. Specifically:
- In Tools->Addons->Plugins is Shockwave Flash present? Is it Grey? Is it enabled?
- If it's enabled, does it show up in about:plugins?
- Does it show up on http://browserspy.dk/plugins.php?
- ???
- Profit!
Trac:
Status: assigned to needs_information -
Man, the other way to look at the above comment is that I just willingly dropped "phishing 0-day" on our users to allow people to social engineer them into getting tracked and owned.
I hope somebody at least promises to try to try to do the right thing with that.
This stuff is hard. Let's go shopping with blind-signed tokens.
Trac:
Parent: N/A to #7470 (moved)-
This should be fixed due to the preference and code simplifications from #3100 (closed). At least, it works for me in TBB 2.3.35-4.
Trac:
Resolution: N/A to fixed
Status: needs_information to closed