Opened 7 years ago

Closed 7 years ago

#6109 closed enhancement (fixed)

Flash does not work with TBB 2.2.36-1

Reported by: runa Owned by: cypherpunks
Priority: Medium Milestone:
Component: TorBrowserButton Version:
Severity: Keywords:
Cc: mikeperry Actual Points:
Parent ID: #7470 Points:
Reviewer: Sponsor:

Description

A user reports that he is unable to view flash content with TBB 2.2.36-1 after enabling plugins by going into the Torbutton Preferences->Security Settings->Dynamic Content tab and unchecking "Disable plugins during Tor usage" box.

I tried this myself and I am not able to view videos on sites such as dailymotion.com and break.com.

Child Tickets

Change History (14)

comment:1 Changed 7 years ago by arma

Did Flash work with previous (recent) TBBs?

comment:2 Changed 7 years ago by arma

Cc: mikeperry added

comment:3 in reply to:  1 Changed 7 years ago by runa

Replying to arma:

Did Flash work with previous (recent) TBBs?

I started to wonder if FF12.0 or FF11.0 had something to do with it, so I went all the way back to TBB 2.2.35-6 to test. No luck with that one either.

comment:4 Changed 7 years ago by arma

Yeah. It's been my impression that it's been basically impossible to get Flash working with TBB, for a good long while now.

Mike might know more?

comment:5 Changed 7 years ago by mikeperry

I thought we already had a support ticket describing this somewhere already. You need to click that checkbox then restart TBB. Then all you need to do is click through the NoScript placeholders.

You can also dig through the Tools->Addons->Plugins menu and click the enable button for flash. That is what Torbutton toggles to disable it.

comment:6 Changed 7 years ago by mikeperry

FYI: This should only be done for testing sandboxes and the like.

Since we dropped BetterPrivacy, flash basically directly deanonymizes you to ad networks through shared flash cookies with your normal browser. Also, simply enabling it exposes your flash version and OS platform to Javascript for fingerprinting, even if you don't click the NoScript placeholders to play flash apps. Then of course there's proxy bypass from running flash itself.

comment:7 in reply to:  5 Changed 7 years ago by runa

Replying to mikeperry:

I thought we already had a support ticket describing this somewhere already. You need to click that checkbox then restart TBB. Then all you need to do is click through the NoScript placeholders.

We have this on https://www.torproject.org/torbutton/torbutton-faq.html.en#noflash, but it does not work. I have clicked the checkbox, restarted TBB, clicked through the NoScript placeholders and ... nothing. Please try it?

comment:8 Changed 7 years ago by mikeperry

I did try what I specified, in fact. It worked fine on osx. What OS are you trying it on?

Also, I did not have to do any of the NoScript stuff from that FAQ entry. It might be outdated and/or overgeneralized?

comment:9 in reply to:  8 Changed 7 years ago by runa

Replying to mikeperry:

I did try what I specified, in fact. It worked fine on osx. What OS are you trying it on?

Three users with Windows (version unknown at this point) have reported it, I have tested with Debian Wheezy (and flash works just fine in other browsers). Did you try dailymotion.com and break.com?

Also, I did not have to do any of the NoScript stuff from that FAQ entry. It might be outdated and/or overgeneralized?

I have never had to do any of that NoScript stuff myself. I usually just click on the video frame and ok the box that pops up.

comment:10 Changed 7 years ago by mikeperry

Component: Tor bundles/installationTorBrowserButton
Owner: changed from erinn to cypherpunks
Status: newassigned
Type: defectenhancement

This is dangerous territory, then.. I mean, sure, we could sink some time into debugging the specifics of why a particular platform version can't shoot themselves in the foot, but unless the outcome of that is that people will find ways to make it safe, I don't think we care :/.

I also think it's likely that anybody who is capable of making this safe for themselves can probably solve this bug for us.

So my recommendation is not to worry about it. I know that might make the rabble a bit noisy. Sorry :/.

comment:11 Changed 7 years ago by mikeperry

Status: assignedneeds_information

Did I just block this thing from ever getting solved? I'm not sure if I created a catch-22 above or not.

To be clear: If you actually *do* experience this bug, we need more information. Specifically:

  1. In Tools->Addons->Plugins is Shockwave Flash present? Is it Grey? Is it enabled?
  2. If it's enabled, does it show up in about:plugins?
  3. Does it show up on http://browserspy.dk/plugins.php?
  4. ???
  5. Profit!

comment:12 Changed 7 years ago by mikeperry

Man, the other way to look at the above comment is that I just willingly dropped "phishing 0-day" on our users to allow people to social engineer them into getting tracked and owned.

I hope somebody at least promises to try to try to do the right thing with that.

This stuff is hard. Let's go shopping with blind-signed tokens.

comment:13 Changed 7 years ago by arma

Parent ID: #7470

comment:14 Changed 7 years ago by mikeperry

Resolution: fixed
Status: needs_informationclosed

This should be fixed due to the preference and code simplifications from #3100. At least, it works for me in TBB 2.3.35-4.

Note: See TracTickets for help on using tickets.