[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] TBB "Security Level" Question.

On Sun, Feb 16, 2020 at 2:56 PM <joebtfsplk@xxxxxxx> wrote:
> Reading documents like https://tb-manual.torproject.org/ answers a lot
> of questions for newer TBB users.  Also, just as Firefox changes
> constantly, TBB has ongoing changes.
> On 2/8/20 3:53 PM, mimble9@xxxxxxxxxxxxx wrote:
> > My impression is that the "Security Level" (standard, safer, safest) has
> > somewhat replaced NoScript.
> I don't think that's true.  If you read the differences in the TBB
> safety levels, it's fairly specific.  As for safety levels replacing NS,
> there may be *some* overlap.
> Forgetting JS for a moment, there are many things NS does that don't
> involve JS, that are worth using, even if JS is turned on in NS by default.

To be clear, the "Security Levels" are a simple wrapper around NoScript. It
provides three options (Standard, Safer, Safest), therefore Tor Browser users
should only be divided into three groups based on the respective properties.

The situation is more complex than this because Tor Browser reveals more
distinguishing information than the "security level" you selected. Some users
also customize their Tor Browser by installing additional extensions - they are
likely particularly unique.

> > NoScript is still an add-on but the icon does not appear as standard at
> > the top of the browser as used to be the case. Also, the preset
> > customization for "default" sites is to allow everything (except ping).
> Where does the NS icon appear for you?  The icon itself looks much the
> same as in the 1st quantum version.  It used to be placed to the left of
> URL bar - maybe still is, in a fresh install.  I always move it to the
> right of the search bar.

In newer installations the NoScript button doesn't appear next to the
address bar. You can only access the NoScript configuration through
about:addons now.

> > In terms of TBB's "Preferences / Privacy and Security" section, many sites
> > will not work unless the "standard" setting is chosen. Are there any
> > serious security ramifications of "standard" that can undermine the TBB
> > and thus acquire the user's real IP?

Yes, there may be some "security" ramifications. The "security levels" were
created, in part, because in the past some features in the browser had bugs
(vulnerabilities) that we potentially exploitable. By increasing the "security
level" in the browser, there is a trade-off with increasing breakage on the
web - sometimes that breakage is decreasing usability (click-to-play) or no
javascript on unencrypted connections, etc. If a vulnerability in Tor Browser
is exploited such that a connection can be made that bypasses the tor proxy,
then this will reveal your real IP address (under normal circumstances).

> > I assume not or what would be the point of the TBB? I imagine that browser
> > components that might be dangerous in a normal Firefox won't necessarily
> > be operational in a hardened TBB. Hence, "standard" (which includes JS,
> > WebGL, etc) is not a problem.
> For one very big thing, TBB (and Tor and how the Tor network functions),
> unhardened Firefox gives out much more info than TBB - even if TBB is on
> Safe level.
> It hides your true IP address, if users don't install certain addons
> that sometimes may leak your true IPa.
> It spoofs a lot of info given out in normal browswers, so the spoofed
> data is the same for all TBB users.  Other data shown by browsers, TBB
> may not give out at all.

Correct. Tor Browser's default configuration is significantly more privacy
preserving than all other browsers available today. In addition, Mozilla has
made significant progress in hardening Firefox, and consequently this has
improved Tor Browser's hardening. If you are really concerned about your IP
address being revealed, then you should either use the Safer or Safest level,
or don't use the Internet (or use Tails or Qubes).

> >
> > Could someone e.g. Roger please clarify this fact. It does feel a bit odd
> > using sites with JS, etc, freely working whereas in my non-TBB Firefox, I
> > have to constantly allow NoScript to "temporarily trust" most sites.

Yes, this is another trade-off between usability and letting everyone create
custom rules for every website they visit.

- Matt
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to