[tor-talk] TBB "Security Level" Question.

joebtfsplk at gmx.com joebtfsplk at gmx.com
Thu Feb 13 20:07:20 UTC 2020

Reading documents like https://tb-manual.torproject.org/ answers a lot
of questions for newer TBB users.  Also, just as Firefox changes
constantly, TBB has ongoing changes.

On 2/8/20 3:53 PM, mimble9 at danwin1210.me wrote:
> My impression is that the "Security Level" (standard, safer, safest) has
> somewhat replaced NoScript.
I don't think that's true.  If you read the differences in the TBB
safety levels, it's fairly specific.  As for safety levels replacing NS,
there may be *some* overlap.

Forgetting JS for a moment, there are many things NS does that don't
involve JS, that are worth using, even if JS is turned on in NS by default.
> NoScript is still an add-on but the icon does not appear as standard at
> the top of the browser as used to be the case. Also, the preset
> customization for "default" sites is to allow everything (except ping).
Where does the NS icon appear for you?  The icon itself looks much the
same as in the 1st quantum version.  It used to be placed to the left of
URL bar - maybe still is, in a fresh install.  I always move it to the
right of the search bar.
> In terms of TBB's "Preferences / Privacy and Security" section, many sites
> will not work unless the "standard" setting is chosen. Are there any
> serious security ramifications of "standard" that can undermine the TBB
> and thus acquire the user's real IP?
The Safe, Safer or Safest levels have nothing to do with exit nodes used
by TBB.  The addresses of the exit nodes determine the IPa that sites
see, not java scripts.  Choose a different exit node, get a new IPa
(from Tor network exits).

Under "Learn More" or Advanced Security Settings, under Security Levels,
the Safer level says,
"Disables website features that are often dangerous, causing some sites
to lose functionality."

"JavaScript is disabled on non-HTTPS sites.Some fonts and math symbols
are disabled.Audio and video (HTML5 media), and WebGL are click-to-play."

It doesn't say if that's every feature it disables.
True, many sites won't work completely unless at least (some or all,
depending) of the scripts for the 1st level domain are allowed.  For
certain content on a given site, some 3rd party scripts must be enabled.

It depends on what content you want to see & its format, its source -
from 1st or 3rd party, etc. For instance, if you're reading plain text
or HTML, JS is generally not needed.
> I assume not or what would be the point of the TBB? I imagine that browser
> components that might be dangerous in a normal Firefox won't necessarily
> be operational in a hardened TBB. Hence, "standard" (which includes JS,
> WebGL, etc) is not a problem.
For one very big thing, TBB (and Tor and how the Tor network functions),
unhardened Firefox gives out much more info than TBB - even if TBB is on
Safe level.
It hides your true IP address, if users don't install certain addons
that sometimes may leak your true IPa.

It spoofs a lot of info given out in normal browswers, so the spoofed
data is the same for all TBB users.  Other data shown by browsers, TBB
may not give out at all.

> Could someone e.g. Roger please clarify this fact. It does feel a bit odd
> using sites with JS, etc, freely working whereas in my non-TBB Firefox, I
> have to constantly allow NoScript to "temporarily trust" most sites.
> Thank you.

More information about the tor-talk mailing list