Feature #11417
Default torbutton security slider to "Medium-High"
0%
Description
In Bug #10481, a user requested that JS be off by default. The response was that enabling it was considered a middle ground between security and usability.
But with th existence of Tor exit-nodes which inject malicious JS into clear-text HTTP sessions, this is still a serious concern on non-HTTPS.
Torbutton’s “Medium-High” setting includes among other things disabling JS on non-HTTPS connections and disabling JS optimizations that could be attack vectors. This seems like an even better compromise towards security than making the default be “Low”. Current sites tend to use HTTPS-encryption and would not be affected by this setting.
Persisting the setting is a separate feature request in Feature #9700, this request is related but not the same, this request is to change the non-persisted default.
Making this change should include some testing of popular websites. My testing shows that it does work very well today.
Subtasks
Related issues
| Related to Tails - Feature #9700: Persistence preset: Tor Browser security level | In Progress | 2015-07-07 | |
|
Has duplicate Tails - |
Duplicate | 2016-10-20 |
History
#1 Updated by intrigeri 2016-05-14 15:18:24
> Making this change should include some testing of popular websites. My testing shows that it does work very well today.
It does break stuff for me, and without any kind of feedback explaining why stuff is broken, and how to fix it.
#2 Updated by sajolida 2016-05-15 11:10:47
Do you think that Tails should behave differently than Tor Browser in this aspect? If so why?
#3 Updated by bdwong 2016-05-15 12:29:31
sajolida wrote:
> Do you think that Tails should behave differently than Tor Browser in this aspect? If so why?
I don’t use the stand-alone Tor Browser normally. Though it saves settings in the way requested in Feature #9700 so users can save whatever they want across sessions.
If Tor Browser starts out with JS enabled for HTTP clearnet-sites, then it also exposes users to malicious exit-node activity.
This sounds like something better to have more-secure by default and documented how to loosen restrictions. (“Temporarily allow all this page” in the noscript-icon is easy to select when needed. It allows JS on a whole site for the current session.)
#4 Updated by sajolida 2016-05-16 08:32:56
- related to Feature #9700: Persistence preset: Tor Browser security level added
#5 Updated by sajolida 2016-05-16 08:43:18
> Though it saves settings in the way requested in Feature #9700 so users can save whatever they want across sessions.
You’re right and I think that the real issue here is Feature #9700 that would
allow to make this setting persistent.
But I personally see no reason to diverge from the default from Tor
Browser otherwise.
> If Tor Browser starts out with JS enabled for HTTP clearnet-sites, then it also exposes users to malicious exit-node activity.
That’s equally true for Tor Browser outside of Tails. For example, I bet
than very few people move the security slider up, especially less
tech-savvy people (journalists, human-rights folks around the world).
So if this default is bad, then it’s bad for everybody and the
discussion should take place upstream in Tor Browser. I didn’t search
the Tor trac but I bet that this has been discussed already.
> This sounds like something better to have more-secure by default and documented how to loosen restrictions.
It’s better from a security point of view but not from an UX point of
view because here we have no way of explaining to the user through the
interface that something that is not working as expected on their
favorite website comes from this setting.
The example that you give from NoScript goes in my direction: NoScript
actually has such a mechanism through the “Temporarily allow all this
page” pop-up but in Tor Browser we don’t. The setting in Tor Browser is
transparent (it doesn’t “appear” while you are browsing and facing the
issue) and global (you can’t select on which pages to be “medium-high”
and on which pages to be “low”).
So I’m against changing this by default and would rather work on Feature #9700.
#6 Updated by intrigeri 2016-07-16 08:20:23
- Status changed from New to Rejected
>> This sounds like something better to have more-secure by default and documented how to loosen restrictions.
> It’s better from a security point of view but not from an UX point of view because here we have no way of explaining to the user through the interface that something that is not working as expected on their favorite website comes from this setting.
> The example that you give from NoScript goes in my direction: NoScript actually has such a mechanism through the “Temporarily allow all this page” pop-up but in Tor Browser we don’t. The setting in Tor Browser is transparent (it doesn’t “appear” while you are browsing and facing the issue) and global (you can’t select on which pages to be “medium-high” and on which pages to be “low”).
Absolutely. Ideally Firefox itself would block the most dangerous code paths by default, and give feeback + a way to opt-out whenever something is blocked. FWIW I’ve pointed someone I know (who works on the Mozilla / Firefox security) to this topic and they’re interested to work on this. Fingers crossed!
> So I’m against changing this by default and would rather work on Feature #9700.
ACK, closing. We can revisit if there’s no progress on Feature #9700 in a while.
#7 Updated by intrigeri 2016-10-24 10:47:24
- has duplicate
Feature #11883: consider setting the privacy slider to medium-high by default as a compromise between security and convenience added