[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Tor Browser Security Settings warning

To: Georg Koppen <gk@xxxxxxxxxxxxxx>, tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Tor Browser Security Settings warning
From: Joe <joebtfsplk@xxxxxxx>
Date: Wed, 4 Jul 2018 20:35:59 -0500
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 04 Jul 2018 21:35:33 -0400
In-reply-to: <0793b635-1908-f303-fabf-41983478fde7@gmx.com>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <7d399160-52d2-3659-88bd-531fcaa638c2@gmx.com> <104e7c71-3637-3561-7f59-cf695139dff2@torproject.org> <42056a7f-af4d-6191-c62e-77b4665c5f29@gmx.com> <0793b635-1908-f303-fabf-41983478fde7@gmx.com>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0


On 04/08/2018 05:12 PM, Joe wrote:

On 04/05/2018 11:34 PM, Joe wrote:

On 04/05/2018 06:19 AM, Georg Koppen wrote:

A safe thing to do would be downloading a clean, new Tor Browser from
our website and start over again (mabye exporting the bookmarks from the
currently used Tor Browser and importing them in the newly downloaded one).

Georg

Georg (or anyone),
    I D/L TBB 7.5.6 Linux & verified w/ GPG.
Installed to new directory as you suggested.

After the clean install, Torbutton Security didn't show a msg about"unusual security settings."

As most know, TBB ships w/ NoScript set to allow all scripts globally(which NoScript warns as "Dangerous").I changed NS to deny scripts globally, as many experienced users do (inTBB and other browsers).

Like many, I don't allow NS to "cascade top document's permissions to3rd party scripts," under Advanced > Trusted. [for newer users, "topdocument's permissions" (the target web page's permissions) means whatever scripts or permissions you allowed for your target site, any & all3rd parties the have the same permissions]. Which could be verydangerous if a site is hacked with malicious scripts & NoScript says,"Come on in!"

Under NoScript Advanced > HTTPS, I UNcheck, "Allow HTTPS scriptsglobally on HTTPS documents," because there's generally no reason toallow *ALL* 3rd party trackers' or hackers' HTTPS scripts, but plenty ofreasons not to.

Now Torbutton > Security Settings shows the "unusual security settings"message, "for security and privacy reasons," as if these settings aremore dangerous than the defaults.

When I click Torbutton's Restore Default Settings, the only thing I findit resets is NoScript to allow scripts globally, under the whitelisttab. AFAIK, it doesn't change any (other) NoScript settings, orabout:config prefs & nothing under TBB Preferences > Privacy.

It appears that Torbutton thinks allowing scripts globally is a saferway to go.

Hey Georg,
What kinds of things in NoScript is the "restore default settings"changing? I've never seen that restoring default changed anythingthere, and I've looked pretty deeply.The only things I change in NS are things that improve anonymity &security, not hurt them. Just like many experienced Tor users do.
Of course, anything is "possible." Tor Project has already made thechanges to Firefox that I'd be interested in changing, if theyweren't already.
You said it's adjusting important settings.
If you or others can give me typical things to look at. I'll capturebefore & after lists (TBB or NS prefs in about:config, or what ever)to find what it's objecting to.I don't let NS allow scripts globally for any tracker & their brothertrack me.
I'll be honest - I've never seen resetting to default changeanything, anywhere. If I know where to look, it'll save me some time.
I don't allow setting cookies unless necessary AND I trust the site.
The only addon I have is uBlock Origin. I'm pretty sure uBo isn'tchanging Tor browser settings - to be *less* secure or private. Maybe the reverse of that.
Still, I'd like to know what it is & maybe pursue a fix. Without somead blocker (that isn't itself a tracker), quite a few sites load soslowly, it's almost not worth it.
News sites are crazy over run w/ ads that just keep coming.
No one replied (yet) on "these are the main things that clicking_Restore Default Settings_ under TorBrowser Security Settings willchange."I'm not sure if this data is a guarded secret or this list just hasfew knowledgeable users or project employees to discuss it.So did some comparison of before / after in NoScript and TorBrowsersettings in about:config prefs - looking at which user set prefschanged, if any.
So far, I found resetting to default security settings (when thesecurity slider = Low), causes
* NoScript is reset to allow all scripts globally and
* NoScript - Advanced/HTTPS/Permissions - re-enables "Allow HTTPSscripts globally on HTTPS documents" which is the about:config pref:noscript.globalHttpsWhitelist; (True if checked to allow in NS).
I found no other changes. I repeated the process of disabling those 2options and looking at TBB security settings.Each time I unchecked the 2 NS options, TBB warned of "unusualsecurity settings.""For your security and privacy reasons, we recommend you choose one ofthe default security levels." Even the low security level?
I can install a clean TBB version & make the change to "remember mybrowsing & download history," but not allow 1st or 3rd party cookiesand see if the same warning shows.
If TBB / Tor Button is actually coded to say that allowing 100% of allscripts leads to better security, the message's wording probably needsrevision.The quite old FAQhttps://www.torproject.org/docs/faq.html.en#TBBJavaScriptEnabled, says"if you disable JavaScript by default but then allow a few websites torun scripts (the way most people use NoScript), then your choice ofwhitelisted websites acts as a sort of cookie that makes yourecognizable (and distinguishable), thus harming your anonymity."
First, it presumes users make *permanent* JS exceptions for somesites, rather than temporary ones that are deleted after closing a tabor when browser closes.It seems to presume that users allowing some scripts don't close tabsor clear any data before going to other sites.The FAQ (probably 10+ yrs old) pro vs. con seems outdated. Today,allowing "all scripts, all the time" allows sites & trackers (thus,allowing users' national governments) to gather so much more infoabout their activities & machine than temporarily white listing a fewsites in NoScript ever would. Factor in revoking script permissionsupon leaving a site and selective temporary scripts exceptions areeven less damaging.
The amount of data that sites, trackers and adversaries can and dogather is so much greater with *all scripts allowed always,* it'sprobably not a close comparison to selective, temporary whitelistingof select scripts.
Not to mention the increased security threat of globally allowing scripts.

I personally don't permanently white list anything in TorBrowser.

--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Prev by Author: Re: [tor-talk] Tor check not working or recognize TBB?
Next by Author: Re: [tor-talk] Tor check not working or recognize TBB?
Previous by thread: Re: [tor-talk] .onion eat http 413 errors
Next by thread: [tor-talk] [Wanted] Who wants "Healthy onions" add-on?
Index(es):
- Author
- Thread