[tor-talk] Tor Browser Suggestions

[tor_suggestions@xxxxxxxxxxxx]

I have some suggestions  for changes to make to future Tor Browser
releases to make Tor more  secure. If this is not the correct email
address to contact about this,  please either forward it to the
correct address and/or tell me who to be  in touch with. Thanks!

I am not an expert on this, some of my  suggestions may be pointless
or even harmful, but I think that at least  some of them would be
beneficial changes to Tor Browser.
The  most important thing is to enable NoScript ("Forbid Scripts
Globally").  I'm sure this has been considered, and declined thus far
due to the fact  that it makes some websites less usable. However,
JavaScript exploits  have been used to identify people, in some cases
negating the benefits  of Tor entirely. If someone really needs
scripts, they can easily allow  scripts globally or temporarily allow
whatever they need. I strongly  believe that the benefits of disabling
scripts by default would far  outweigh the detriments.

I would also suggest disabling cookies  (Edit>Preferences>Privacy).
The default setting 'never remember  history' allows cookies. Of
course, the same issue arises that it makes  some websites less
usable, and with safe browsing habits, cookies are  less of a threat
that scripts, so it's not as important as enabling  NoScript by
default, but I believe it is still worth giving heavy  consideration
to.

Those are the most obvious, and some of the  most controversial,
changes that I think should be made, though there's  also some smaller
things that have probably been overlooked entirely.

Currently,  Tor Browser allows websites to read fonts that a user has
installed on  their computer. This helps an adversary to uniquely
fingerprint the Tor  user. There is essentially no reason not to
disable this. To disable it,  change the about:config setting
gfx.downloadable_fonts.enabled to  false.

Tor Browser currently sends referrer headers which can be  used to
link together various websites that a user accesses. The  referrer
headers can be disabled entirely by changing the about:config 
settings network.http.sendRefererHeader to 0 and 
network.http.sendSecureXSiteReferrer to false. Alternatively, an
add-on  such as RefControl could be used to spoof the referrer header,
 eliminating any issues that would arise from disabling referrer
headers  entirely.

I think there is also reason to be concerned about DOM  storage. I'm
not too familiar with it, but it seems that it could  present the same
risks as cookies. It can be disabled in about:config by  changing
dom.storage.enabled to false and dom.storage.default_quota to  0. So
far I have never run into any problems with DOM storage disabled,  so
I don't see any reason not to, but I don't know much about it, so 
maybe there is something I am overlooking.

I would also suggest  changing NoScript settings under "Embeddings".
"Ask for confirmation  before temporarily unblocking an object" should
be checked, it's only a  minor inconvenience and prevents users from
unintentionally allowing  objects that may compromise their identity.
I would also disable all  embeddings (Java, Flash, etc), of course it
makes some web pages less  usable, but as with disabling scripts
entirely, I believe the security  benefits outweigh the inconvenience
seeing as Tor is designed  specifically for secure, anonymous
browsing.
Everything  mentioned above is what I believe is most important to
change. There are  some other things that are either less important,
and/or I am not as  familiar with, that would be worth considering
changing that I'll  mention below. I'm not as familiar with some of
the settings listed  below so maybe there's some reason they are
already set the way they  are, but I think they are at least worth
looking into.
I  would enable NoScript>Appearance>Temporarily allow [...]. 
"Temporarily allow all this page" is already enabled so it's not that 
big of a deal, and users can easily change it themselves, but I think 
it's still worth changing because in many cases, a user may want to 
allow scripts only from one source.

I would also enable  Edit->Preferences->Advanced->General->Warn me
when websites  try to redirect or reload the page. An inconvenience,
but could protect  against unexpected and potentially malicious
redirects.

You may  want to enable the following NoScript settings, I'm not sure
exactly  what they are, but it appears that even sites explicitly
marked as  'untrusted' are allowed to make use of some things that
could compromise  security.
NoScript>Advanced>Untrusted>Forbid bookmarklets
NoScript>Forbid META redirections inside  elements

There are also a few more about:config settings that concern me
somewhat.
network.http.use-cache is set to true. I don't know if there is any
risk with this, but it may be safer to disable it.
browser.fixup.alternate.enabled  is set to true. Again, I don't know
if there is any risk. I just know  that it attempts to 'fix' URLs,
perhaps that could result in the browser  redirecting to the wrong
website?
capability.policy.maonoscript.javascript.enabled  is set to allAccess.
I don't know what this means, and it only appeared  in about:config
options very recently, but allAccess sounds suspicious.
extensions.torbutton.saved.geo_enabled  is set to true. Again, not
sure what it means, and I haven't been able  to find out after doing a
web search. Anything related to geolocation  being potentially enabled
is reason for concern. Maybe this setting is  harmless, I don't know
what it does.
browser.geolocation.warning.infoURL is set to
https://www.mozilla.org/%LOCALE%/firefox/geolocation/.  To my
understanding this is just related to warning users or something  like
that, so I doubt it's an issue, but anything related to geolocation 
that isn't completely disabled concerns me.

OCSP validation may  be reason for concern. I know almost nothing
about it, but another Tor  user posted on a discussion board that
having OCSP validation enabled 
(Edit>Preferences>Advanced>Certificates>Validation) presents  a
security risk. It seems to me that it validates certificates and 
could therefore be good, but I don't know. It's probably fine the way
it  is, but I'm mentioning it just because someone else expressed
concern  with it at one point.
Lastly, to ensure that some of the  modifications work, the security
test on ip-check.info is a good tool,  though I assume you are aware
of it. It's what I used to confirm that  the about:config setting
successfully disabled websites from viewing  installed fonts. It could
be useful to determine that certain changes  made actually work and
that they don't result in more problems.
Thank  you for taking the time to read this and for considering
implementing  the aforementioned changes, and thank you for all of the
work you put  into developing and maintaining Tor and Tor Browser. I'm
far from an  expert on this subject so some of my suggested changes
are probably  pointless, and some may even be harmful (if any are
harmful, please let  me know so I know not to make those changes in my
own browser), but I  believe that at least some of my suggestions
(especially disabling  scripts, fonts, and referrer headers) are very
important changes to make  in future releases of Tor Browser.
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk