[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] TBB "Security Level" Question.

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] TBB "Security Level" Question.
From: joebtfsplk@xxxxxxx
Date: Thu, 13 Feb 2020 14:07:20 -0600
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sun, 16 Feb 2020 09:56:27 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1581624444; bh=/Pt/u2iQ/1Uj6Wkw/vhbSbH6Ggr0IVeeowDiCMvlRn0=; h=X-UI-Sender-Class:Subject:To:References:From:Date:In-Reply-To; b=KYpAWqJKfVL83/cZ3vgGigUZvYA5EX8vRodq+W6y+GVNYqgz7hQcOf06GelaWNXTM A8EB8d3/LuvYapZ1SdmQDce+4d+mZ2Q9TloNmFYO/Y2tgcx1C+nr1lICea/Yg5tfS1 3mp5km/nHLr4Kjya66WLEM/3DVZSEeQadI4Trux8=
In-reply-to: <a2858af242d71108ccebc53af60e3783.squirrel@danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <a2858af242d71108ccebc53af60e3783.squirrel@danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.4.2

Reading documents like https://tb-manual.torproject.org/ answers a lot
of questions for newer TBB users.  Also, just as Firefox changes
constantly, TBB has ongoing changes.

On 2/8/20 3:53 PM, mimble9@xxxxxxxxxxxxx wrote:

My impression is that the "Security Level" (standard, safer, safest) has
somewhat replaced NoScript.

I don't think that's true.  If you read the differences in the TBB
safety levels, it's fairly specific.  As for safety levels replacing NS,
there may be *some* overlap.

Forgetting JS for a moment, there are many things NS does that don't
involve JS, that are worth using, even if JS is turned on in NS by default.

NoScript is still an add-on but the icon does not appear as standard at
the top of the browser as used to be the case. Also, the preset
customization for "default" sites is to allow everything (except ping).

Where does the NS icon appear for you?  The icon itself looks much the
same as in the 1st quantum version.  It used to be placed to the left of
URL bar - maybe still is, in a fresh install.  I always move it to the
right of the search bar.

In terms of TBB's "Preferences / Privacy and Security" section, many sites
will not work unless the "standard" setting is chosen. Are there any
serious security ramifications of "standard" that can undermine the TBB
and thus acquire the user's real IP?

The Safe, Safer or Safest levels have nothing to do with exit nodes used
by TBB.  The addresses of the exit nodes determine the IPa that sites
see, not java scripts.  Choose a different exit node, get a new IPa
(from Tor network exits).

Under "Learn More" or Advanced Security Settings, under Security Levels,
the Safer level says,
"Disables website features that are often dangerous, causing some sites
to lose functionality."

"JavaScript is disabled on non-HTTPS sites.Some fonts and math symbols
are disabled.Audio and video (HTML5 media), and WebGL are click-to-play."

It doesn't say if that's every feature it disables.
True, many sites won't work completely unless at least (some or all,
depending) of the scripts for the 1st level domain are allowed.  For
certain content on a given site, some 3rd party scripts must be enabled.

It depends on what content you want to see & its format, its source -
from 1st or 3rd party, etc. For instance, if you're reading plain text
or HTML, JS is generally not needed.

I assume not or what would be the point of the TBB? I imagine that browser
components that might be dangerous in a normal Firefox won't necessarily
be operational in a hardened TBB. Hence, "standard" (which includes JS,
WebGL, etc) is not a problem.

For one very big thing, TBB (and Tor and how the Tor network functions),
unhardened Firefox gives out much more info than TBB - even if TBB is on
Safe level.
It hides your true IP address, if users don't install certain addons
that sometimes may leak your true IPa.

It spoofs a lot of info given out in normal browswers, so the spoofed
data is the same for all TBB users.  Other data shown by browsers, TBB
may not give out at all.


Could someone e.g. Roger please clarify this fact. It does feel a bit odd
using sites with JS, etc, freely working whereas in my non-TBB Firefox, I
have to constantly allow NoScript to "temporarily trust" most sites.

Thank you.


--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] TBB "Security Level" Question.
  - From: Matthew Finkel

References:
- [tor-talk] TBB "Security Level" Question.
  - From: mimble9

Prev by Author: Re: [tor-talk] Tor Browser without Tor
Next by Author: [tor-talk] Captcha verification fails when using "Get an audio challenge"
Previous by thread: Re: [tor-talk] TBB "Security Level" Question.
Next by thread: Re: [tor-talk] TBB "Security Level" Question.
Index(es):
- Author
- Thread