Project

General

Profile

Feature #11417

Default torbutton security slider to "Medium-High"

Added by bdwong over 3 years ago. Updated about 3 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
05/14/2016
Due date:
% Done:

0%

Feature Branch:
Type of work:
Code
Blueprint:
Starter:
Yes
Affected tool:
Browser

Description

In #10481, a user requested that JS be off by default. The response was that enabling it was considered a middle ground between security and usability.

But with th existence of Tor exit-nodes which inject malicious JS into clear-text HTTP sessions, this is still a serious concern on non-HTTPS.

Torbutton's "Medium-High" setting includes among other things disabling JS on non-HTTPS connections and disabling JS optimizations that could be attack vectors. This seems like an even better compromise towards security than making the default be "Low". Current sites tend to use HTTPS-encryption and would not be affected by this setting.

Persisting the setting is a separate feature request in #9700, this request is related but not the same, this request is to change the non-persisted default.

Making this change should include some testing of popular websites. My testing shows that it does work very well today.


Related issues

Related to Tails - Feature #9700: Persistence preset: Tor Browser security slider setting In Progress 07/07/2015
Duplicated by Tails - Feature #11883: consider setting the privacy slider to medium-high by default as a compromise between security and convenience Duplicate 10/20/2016

History

#1 Updated by intrigeri over 3 years ago

Making this change should include some testing of popular websites. My testing shows that it does work very well today.

It does break stuff for me, and without any kind of feedback explaining why stuff is broken, and how to fix it.

#2 Updated by sajolida over 3 years ago

Do you think that Tails should behave differently than Tor Browser in this aspect? If so why?

#3 Updated by bdwong over 3 years ago

sajolida wrote:

Do you think that Tails should behave differently than Tor Browser in this aspect? If so why?

I don't use the stand-alone Tor Browser normally. Though it saves settings in the way requested in #9700 so users can save whatever they want across sessions.

If Tor Browser starts out with JS enabled for HTTP clearnet-sites, then it also exposes users to malicious exit-node activity.

This sounds like something better to have more-secure by default and documented how to loosen restrictions. ("Temporarily allow all this page" in the noscript-icon is easy to select when needed. It allows JS on a whole site for the current session.)

#4 Updated by sajolida over 3 years ago

  • Related to Feature #9700: Persistence preset: Tor Browser security slider setting added

#5 Updated by sajolida over 3 years ago

Though it saves settings in the way requested in #9700 so users can save whatever they want across sessions.

You're right and I think that the real issue here is #9700 that would
allow to make this setting persistent.

But I personally see no reason to diverge from the default from Tor
Browser otherwise.

If Tor Browser starts out with JS enabled for HTTP clearnet-sites, then it also exposes users to malicious exit-node activity.

That's equally true for Tor Browser outside of Tails. For example, I bet
than very few people move the security slider up, especially less
tech-savvy people (journalists, human-rights folks around the world).

So if this default is bad, then it's bad for everybody and the
discussion should take place upstream in Tor Browser. I didn't search
the Tor trac but I bet that this has been discussed already.

This sounds like something better to have more-secure by default and documented how to loosen restrictions.

It's better from a security point of view but not from an UX point of
view because here we have no way of explaining to the user through the
interface that something that is not working as expected on their
favorite website comes from this setting.

The example that you give from NoScript goes in my direction: NoScript
actually has such a mechanism through the "Temporarily allow all this
page" pop-up but in Tor Browser we don't. The setting in Tor Browser is
transparent (it doesn't "appear" while you are browsing and facing the
issue) and global (you can't select on which pages to be "medium-high"
and on which pages to be "low").

So I'm against changing this by default and would rather work on #9700.

#6 Updated by intrigeri about 3 years ago

  • Status changed from New to Rejected

This sounds like something better to have more-secure by default and documented how to loosen restrictions.

It's better from a security point of view but not from an UX point of view because here we have no way of explaining to the user through the interface that something that is not working as expected on their favorite website comes from this setting.

The example that you give from NoScript goes in my direction: NoScript actually has such a mechanism through the "Temporarily allow all this page" pop-up but in Tor Browser we don't. The setting in Tor Browser is transparent (it doesn't "appear" while you are browsing and facing the issue) and global (you can't select on which pages to be "medium-high" and on which pages to be "low").

Absolutely. Ideally Firefox itself would block the most dangerous code paths by default, and give feeback + a way to opt-out whenever something is blocked. FWIW I've pointed someone I know (who works on the Mozilla / Firefox security) to this topic and they're interested to work on this. Fingers crossed!

So I'm against changing this by default and would rather work on #9700.

ACK, closing. We can revisit if there's no progress on #9700 in a while.

#7 Updated by intrigeri almost 3 years ago

  • Duplicated by Feature #11883: consider setting the privacy slider to medium-high by default as a compromise between security and convenience added

Also available in: Atom PDF