[tor-talk] Tor Browser Security Settings warning

Thu Jul 5 01:35:59 UTC 2018

On 04/08/2018 05:12 PM, Joe wrote:
> On 04/05/2018 11:34 PM, Joe wrote:
>> On 04/05/2018 06:19 AM, Georg Koppen wrote:
>>>
>>> A safe thing to do would be downloading a clean, new Tor Browser from
>>> our website and start over again (mabye exporting the bookmarks from the
>>> currently used Tor Browser and importing them in the newly downloaded one).
>>>
>>> Georg
Georg (or anyone),
     I D/L TBB 7.5.6 Linux & verified w/ GPG.
Installed to new directory as you suggested.
After the clean install, Torbutton Security didn't show a msg about 
"unusual security settings."

As most know, TBB ships w/ NoScript set to allow all scripts globally 
(which NoScript warns as "Dangerous").
I changed NS to deny scripts globally, as many experienced users do (in 
TBB and other browsers).

Like many, I don't allow NS to "cascade top document's permissions to 
3rd party scripts," under Advanced > Trusted.  [for newer users, "top 
document's permissions" (the target web page's permissions) means what 
ever scripts or permissions you allowed for your target site, any & all 
3rd parties the have the same permissions].  Which could be very 
dangerous if a site is hacked with malicious scripts & NoScript says, 
"Come on in!"

Under NoScript Advanced > HTTPS, I UNcheck, "Allow HTTPS scripts 
globally on HTTPS documents," because there's generally no reason to 
allow *ALL* 3rd party trackers' or hackers' HTTPS scripts, but plenty of 
reasons not to.

Now Torbutton > Security Settings shows the "unusual security settings" 
message, "for security and privacy reasons," as if these settings are 
more dangerous than the defaults.

When I click Torbutton's Restore Default Settings, the only thing I find 
it resets is NoScript to allow scripts globally, under the whitelist 
tab.  AFAIK, it doesn't change any (other) NoScript settings, or 
about:config prefs & nothing under TBB Preferences > Privacy.

It appears that Torbutton thinks allowing scripts globally is a safer 
way to go.

>>>
>> Hey Georg,
>> What kinds of things in NoScript is the "restore default settings" 
>> changing?  I've never seen that restoring default changed anything 
>> there, and I've looked pretty deeply.
>> The only things I change in NS are things that improve anonymity & 
>> security, not hurt them.  Just like many experienced Tor users do.
>>
>> Of course, anything is "possible."  Tor Project has already made the 
>> changes to Firefox that I'd be interested in changing, if they 
>> weren't already.
>> You said it's adjusting important settings.
>> If you or others can give me typical things to look at.  I'll capture 
>> before & after lists (TBB or NS prefs in about:config, or what ever) 
>> to find what it's objecting to.
>> I don't let NS allow scripts globally for any tracker & their brother 
>> track me.
>>
>> I'll be honest - I've never seen resetting to default change 
>> anything, anywhere.  If I know where to look, it'll save me some time.
>>
>> I don't allow setting cookies unless necessary AND I trust the site.
>> The only addon I have is uBlock Origin.  I'm pretty sure uBo isn't 
>> changing Tor browser settings - to be *less* secure or private.  
>> Maybe the reverse of that.
>>
>> Still, I'd like to know what it is & maybe pursue a fix. Without some 
>> ad blocker (that isn't itself a tracker), quite a few sites load so 
>> slowly, it's almost not worth it.
>> News sites are crazy over run w/ ads that just keep coming.
> No one replied (yet) on "these are the main things that clicking 
> _Restore Default Settings_ under TorBrowser Security Settings will 
> change."
> I'm not sure if this data is a guarded secret or this list just has 
> few knowledgeable users or project employees to discuss it.
> So did some comparison of before / after in NoScript and TorBrowser 
> settings in about:config prefs - looking at which user set prefs 
> changed, if any.
>
> So far, I found resetting to default security settings (when the 
> security slider = Low), causes
> * NoScript is reset to allow all scripts globally and
> * NoScript - Advanced/HTTPS/Permissions -  re-enables "Allow HTTPS 
> scripts globally on HTTPS documents" which is the about:config pref: 
> noscript.globalHttpsWhitelist; (True if checked to allow in NS).
>
> I found no other changes.  I repeated the process of disabling those 2 
> options and looking at TBB security settings.
> Each time I unchecked the 2 NS options, TBB warned of "unusual 
> security settings."
> "For your security and privacy reasons, we recommend you choose one of 
> the default security levels."  Even the low security level?
>
> I can install a clean TBB version & make the change to "remember my 
> browsing & download history," but not allow 1st or 3rd party cookies 
> and see if the same warning shows.
>
> If TBB / Tor Button is actually coded to say that allowing 100% of all 
> scripts leads to better security, the message's wording probably needs 
> revision.
> The quite old FAQ 
> https://www.torproject.org/docs/faq.html.en#TBBJavaScriptEnabled, says
> "if you disable JavaScript by default but then allow a few websites to 
> run scripts (the way most people use NoScript), then your choice of 
> whitelisted websites acts as a sort of cookie that makes you 
> recognizable (and distinguishable), thus harming your anonymity."
>
> First, it presumes users make *permanent* JS exceptions for some 
> sites, rather than temporary ones that are deleted after closing a tab 
> or when browser closes.
> It seems to presume that users allowing some scripts don't close tabs 
> or clear any data before going to other sites.
> The FAQ (probably 10+ yrs old) pro vs. con seems outdated.  Today, 
> allowing "all scripts, all the time" allows sites & trackers (thus, 
> allowing users' national governments)  to gather so much more info 
> about their activities & machine than temporarily white listing a few 
> sites in NoScript ever would.  Factor in revoking script permissions 
> upon leaving a site and selective temporary scripts exceptions are 
> even less damaging.
>
> The amount of data that sites, trackers and adversaries can and do 
> gather is so much greater with *all scripts allowed always,* it's 
> probably not a close comparison to selective, temporary whitelisting 
> of select scripts.
> Not to mention the increased security threat of globally allowing scripts.
>
> I personally don't permanently white list anything in TorBrowser.