[tor-talk] Tor Browser Security Settings warning
Joe
joebtfsplk at gmx.com
Thu Jul 5 01:35:59 UTC 2018
On 04/08/2018 05:12 PM, Joe wrote:
> On 04/05/2018 11:34 PM, Joe wrote:
>> On 04/05/2018 06:19 AM, Georg Koppen wrote:
>>>
>>> A safe thing to do would be downloading a clean, new Tor Browser from
>>> our website and start over again (mabye exporting the bookmarks from the
>>> currently used Tor Browser and importing them in the newly downloaded one).
>>>
>>> Georg
Georg (or anyone),
I D/L TBB 7.5.6 Linux & verified w/ GPG.
Installed to new directory as you suggested.
After the clean install, Torbutton Security didn't show a msg about
"unusual security settings."
As most know, TBB ships w/ NoScript set to allow all scripts globally
(which NoScript warns as "Dangerous").
I changed NS to deny scripts globally, as many experienced users do (in
TBB and other browsers).
Like many, I don't allow NS to "cascade top document's permissions to
3rd party scripts," under Advanced > Trusted. [for newer users, "top
document's permissions" (the target web page's permissions) means what
ever scripts or permissions you allowed for your target site, any & all
3rd parties the have the same permissions]. Which could be very
dangerous if a site is hacked with malicious scripts & NoScript says,
"Come on in!"
Under NoScript Advanced > HTTPS, I UNcheck, "Allow HTTPS scripts
globally on HTTPS documents," because there's generally no reason to
allow *ALL* 3rd party trackers' or hackers' HTTPS scripts, but plenty of
reasons not to.
Now Torbutton > Security Settings shows the "unusual security settings"
message, "for security and privacy reasons," as if these settings are
more dangerous than the defaults.
When I click Torbutton's Restore Default Settings, the only thing I find
it resets is NoScript to allow scripts globally, under the whitelist
tab. AFAIK, it doesn't change any (other) NoScript settings, or
about:config prefs & nothing under TBB Preferences > Privacy.
It appears that Torbutton thinks allowing scripts globally is a safer
way to go.
>>>
>> Hey Georg,
>> What kinds of things in NoScript is the "restore default settings"
>> changing? I've never seen that restoring default changed anything
>> there, and I've looked pretty deeply.
>> The only things I change in NS are things that improve anonymity &
>> security, not hurt them. Just like many experienced Tor users do.
>>
>> Of course, anything is "possible." Tor Project has already made the
>> changes to Firefox that I'd be interested in changing, if they
>> weren't already.
>> You said it's adjusting important settings.
>> If you or others can give me typical things to look at. I'll capture
>> before & after lists (TBB or NS prefs in about:config, or what ever)
>> to find what it's objecting to.
>> I don't let NS allow scripts globally for any tracker & their brother
>> track me.
>>
>> I'll be honest - I've never seen resetting to default change
>> anything, anywhere. If I know where to look, it'll save me some time.
>>
>> I don't allow setting cookies unless necessary AND I trust the site.
>> The only addon I have is uBlock Origin. I'm pretty sure uBo isn't
>> changing Tor browser settings - to be *less* secure or private.
>> Maybe the reverse of that.
>>
>> Still, I'd like to know what it is & maybe pursue a fix. Without some
>> ad blocker (that isn't itself a tracker), quite a few sites load so
>> slowly, it's almost not worth it.
>> News sites are crazy over run w/ ads that just keep coming.
> No one replied (yet) on "these are the main things that clicking
> _Restore Default Settings_ under TorBrowser Security Settings will
> change."
> I'm not sure if this data is a guarded secret or this list just has
> few knowledgeable users or project employees to discuss it.
> So did some comparison of before / after in NoScript and TorBrowser
> settings in about:config prefs - looking at which user set prefs
> changed, if any.
>
> So far, I found resetting to default security settings (when the
> security slider = Low), causes
> * NoScript is reset to allow all scripts globally and
> * NoScript - Advanced/HTTPS/Permissions - re-enables "Allow HTTPS
> scripts globally on HTTPS documents" which is the about:config pref:
> noscript.globalHttpsWhitelist; (True if checked to allow in NS).
>
> I found no other changes. I repeated the process of disabling those 2
> options and looking at TBB security settings.
> Each time I unchecked the 2 NS options, TBB warned of "unusual
> security settings."
> "For your security and privacy reasons, we recommend you choose one of
> the default security levels." Even the low security level?
>
> I can install a clean TBB version & make the change to "remember my
> browsing & download history," but not allow 1st or 3rd party cookies
> and see if the same warning shows.
>
> If TBB / Tor Button is actually coded to say that allowing 100% of all
> scripts leads to better security, the message's wording probably needs
> revision.
> The quite old FAQ
> https://www.torproject.org/docs/faq.html.en#TBBJavaScriptEnabled, says
> "if you disable JavaScript by default but then allow a few websites to
> run scripts (the way most people use NoScript), then your choice of
> whitelisted websites acts as a sort of cookie that makes you
> recognizable (and distinguishable), thus harming your anonymity."
>
> First, it presumes users make *permanent* JS exceptions for some
> sites, rather than temporary ones that are deleted after closing a tab
> or when browser closes.
> It seems to presume that users allowing some scripts don't close tabs
> or clear any data before going to other sites.
> The FAQ (probably 10+ yrs old) pro vs. con seems outdated. Today,
> allowing "all scripts, all the time" allows sites & trackers (thus,
> allowing users' national governments) to gather so much more info
> about their activities & machine than temporarily white listing a few
> sites in NoScript ever would. Factor in revoking script permissions
> upon leaving a site and selective temporary scripts exceptions are
> even less damaging.
>
> The amount of data that sites, trackers and adversaries can and do
> gather is so much greater with *all scripts allowed always,* it's
> probably not a close comparison to selective, temporary whitelisting
> of select scripts.
> Not to mention the increased security threat of globally allowing scripts.
>
> I personally don't permanently white list anything in TorBrowser.
More information about the tor-talk
mailing list