[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Tor Browser Security Settings warning

On 04/08/2018 05:12 PM, Joe wrote:
On 04/05/2018 11:34 PM, Joe wrote:
On 04/05/2018 06:19 AM, Georg Koppen wrote:

A safe thing to do would be downloading a clean, new Tor Browser from
our website and start over again (mabye exporting the bookmarks from the
currently used Tor Browser and importing them in the newly downloaded one).

Georg (or anyone),
    I D/L TBB 7.5.6 Linux & verified w/ GPG.
Installed to new directory as you suggested.
After the clean install, Torbutton Security didn't show a msg about "unusual security settings."

As most know, TBB ships w/ NoScript set to allow all scripts globally (which NoScript warns as "Dangerous"). I changed NS to deny scripts globally, as many experienced users do (in TBB and other browsers).

Like many, I don't allow NS to "cascade top document's permissions to 3rd party scripts," under Advanced > Trusted.  [for newer users, "top document's permissions" (the target web page's permissions) means what ever scripts or permissions you allowed for your target site, any & all 3rd parties the have the same permissions].  Which could be very dangerous if a site is hacked with malicious scripts & NoScript says, "Come on in!"

Under NoScript Advanced > HTTPS, I UNcheck, "Allow HTTPS scripts globally on HTTPS documents," because there's generally no reason to allow *ALL* 3rd party trackers' or hackers' HTTPS scripts, but plenty of reasons not to.

Now Torbutton > Security Settings shows the "unusual security settings" message, "for security and privacy reasons," as if these settings are more dangerous than the defaults.

When I click Torbutton's Restore Default Settings, the only thing I find it resets is NoScript to allow scripts globally, under the whitelist tab.  AFAIK, it doesn't change any (other) NoScript settings, or about:config prefs & nothing under TBB Preferences > Privacy.

It appears that Torbutton thinks allowing scripts globally is a safer way to go.

Hey Georg,
What kinds of things in NoScript is the "restore default settings" changing?  I've never seen that restoring default changed anything there, and I've looked pretty deeply. The only things I change in NS are things that improve anonymity & security, not hurt them.  Just like many experienced Tor users do.

Of course, anything is "possible."  Tor Project has already made the changes to Firefox that I'd be interested in changing, if they weren't already.
You said it's adjusting important settings.
If you or others can give me typical things to look at.  I'll capture before & after lists (TBB or NS prefs in about:config, or what ever) to find what it's objecting to. I don't let NS allow scripts globally for any tracker & their brother track me.

I'll be honest - I've never seen resetting to default change anything, anywhere.  If I know where to look, it'll save me some time.

I don't allow setting cookies unless necessary AND I trust the site.
The only addon I have is uBlock Origin.  I'm pretty sure uBo isn't changing Tor browser settings - to be *less* secure or private.  Maybe the reverse of that.

Still, I'd like to know what it is & maybe pursue a fix. Without some ad blocker (that isn't itself a tracker), quite a few sites load so slowly, it's almost not worth it.
News sites are crazy over run w/ ads that just keep coming.
No one replied (yet) on "these are the main things that clicking _Restore Default Settings_ under TorBrowser Security Settings will change." I'm not sure if this data is a guarded secret or this list just has few knowledgeable users or project employees to discuss it. So did some comparison of before / after in NoScript and TorBrowser settings in about:config prefs - looking at which user set prefs changed, if any.

So far, I found resetting to default security settings (when the security slider = Low), causes
* NoScript is reset to allow all scripts globally and
* NoScript - Advanced/HTTPS/Permissions -  re-enables "Allow HTTPS scripts globally on HTTPS documents" which is the about:config pref: noscript.globalHttpsWhitelist; (True if checked to allow in NS).

I found no other changes.  I repeated the process of disabling those 2 options and looking at TBB security settings. Each time I unchecked the 2 NS options, TBB warned of "unusual security settings." "For your security and privacy reasons, we recommend you choose one of the default security levels."  Even the low security level?

I can install a clean TBB version & make the change to "remember my browsing & download history," but not allow 1st or 3rd party cookies and see if the same warning shows.

If TBB / Tor Button is actually coded to say that allowing 100% of all scripts leads to better security, the message's wording probably needs revision. The quite old FAQ https://www.torproject.org/docs/faq.html.en#TBBJavaScriptEnabled, says "if you disable JavaScript by default but then allow a few websites to run scripts (the way most people use NoScript), then your choice of whitelisted websites acts as a sort of cookie that makes you recognizable (and distinguishable), thus harming your anonymity."

First, it presumes users make *permanent* JS exceptions for some sites, rather than temporary ones that are deleted after closing a tab or when browser closes. It seems to presume that users allowing some scripts don't close tabs or clear any data before going to other sites. The FAQ (probably 10+ yrs old) pro vs. con seems outdated.  Today, allowing "all scripts, all the time" allows sites & trackers (thus, allowing users' national governments)  to gather so much more info about their activities & machine than temporarily white listing a few sites in NoScript ever would.  Factor in revoking script permissions upon leaving a site and selective temporary scripts exceptions are even less damaging.

The amount of data that sites, trackers and adversaries can and do gather is so much greater with *all scripts allowed always,* it's probably not a close comparison to selective, temporary whitelisting of select scripts.
Not to mention the increased security threat of globally allowing scripts.

I personally don't permanently white list anything in TorBrowser.

tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to