Consider releasing Tails 5.0.1 to fix Mozilla Foundation Security Advisory 2022-19
https://www.mozilla.org/en-US/security/advisories/mfsa2022-19/
Process: https://tails.boum.org/contribute/working_together/roles/release_manager/#emergency-release
Impact: if I visit a website controlled by an adversary, they can probably see what I'm doing on other websites that I'm visiting in the same Tor Browser session. This probably allows them to steal passwords I type. The adversary will also be able to make these changes persist across TorBrowser restarts - but not across Tails reboots.
Possible mitigations:
- Use our security advisory mechanism to tell user (via a desktop notification on every boot):
- Either, to isolate their untrusted web browsing from their trusted web browsing, and restart Tails in between.
- Drawback: not so easy for us to explain and for users to apply
- No, we don't think that closing TorBrowser and opening it again will be enough.
- Or, to use the Safest Tor Browser security level
- Drawback: makes most websites unusable
- Either, to isolate their untrusted web browsing from their trusted web browsing, and restart Tails in between.
Other considerations:
- The FT is having a sprint this week. Preparing an emergency release would waste almost half of this sprint.
- Our next scheduled release is on May 31.
- Tor Browser developers are preparing an emergency release.
Edited by boyska