[tor-talk] Tor Browser Suggestions
tor_suggestions at hushmail.com
tor_suggestions at hushmail.com
Thu Dec 11 21:15:38 UTC 2014
I have some suggestions for changes to make to future Tor Browser
releases to make Tor more secure. If this is not the correct email
address to contact about this, please either forward it to the
correct address and/or tell me who to be in touch with. Thanks!
I am not an expert on this, some of my suggestions may be pointless
or even harmful, but I think that at least some of them would be
beneficial changes to Tor Browser.
The most important thing is to enable NoScript ("Forbid Scripts
Globally"). I'm sure this has been considered, and declined thus far
due to the fact that it makes some websites less usable. However,
JavaScript exploits have been used to identify people, in some cases
negating the benefits of Tor entirely. If someone really needs
scripts, they can easily allow scripts globally or temporarily allow
whatever they need. I strongly believe that the benefits of disabling
scripts by default would far outweigh the detriments.
I would also suggest disabling cookies (Edit>Preferences>Privacy).
The default setting 'never remember history' allows cookies. Of
course, the same issue arises that it makes some websites less
usable, and with safe browsing habits, cookies are less of a threat
that scripts, so it's not as important as enabling NoScript by
default, but I believe it is still worth giving heavy consideration
to.
Those are the most obvious, and some of the most controversial,
changes that I think should be made, though there's also some smaller
things that have probably been overlooked entirely.
Currently, Tor Browser allows websites to read fonts that a user has
installed on their computer. This helps an adversary to uniquely
fingerprint the Tor user. There is essentially no reason not to
disable this. To disable it, change the about:config setting
gfx.downloadable_fonts.enabled to false.
Tor Browser currently sends referrer headers which can be used to
link together various websites that a user accesses. The referrer
headers can be disabled entirely by changing the about:config
settings network.http.sendRefererHeader to 0 and
network.http.sendSecureXSiteReferrer to false. Alternatively, an
add-on such as RefControl could be used to spoof the referrer header,
eliminating any issues that would arise from disabling referrer
headers entirely.
I think there is also reason to be concerned about DOM storage. I'm
not too familiar with it, but it seems that it could present the same
risks as cookies. It can be disabled in about:config by changing
dom.storage.enabled to false and dom.storage.default_quota to 0. So
far I have never run into any problems with DOM storage disabled, so
I don't see any reason not to, but I don't know much about it, so
maybe there is something I am overlooking.
I would also suggest changing NoScript settings under "Embeddings".
"Ask for confirmation before temporarily unblocking an object" should
be checked, it's only a minor inconvenience and prevents users from
unintentionally allowing objects that may compromise their identity.
I would also disable all embeddings (Java, Flash, etc), of course it
makes some web pages less usable, but as with disabling scripts
entirely, I believe the security benefits outweigh the inconvenience
seeing as Tor is designed specifically for secure, anonymous
browsing.
Everything mentioned above is what I believe is most important to
change. There are some other things that are either less important,
and/or I am not as familiar with, that would be worth considering
changing that I'll mention below. I'm not as familiar with some of
the settings listed below so maybe there's some reason they are
already set the way they are, but I think they are at least worth
looking into.
I would enable NoScript>Appearance>Temporarily allow [...].
"Temporarily allow all this page" is already enabled so it's not that
big of a deal, and users can easily change it themselves, but I think
it's still worth changing because in many cases, a user may want to
allow scripts only from one source.
I would also enable Edit->Preferences->Advanced->General->Warn me
when websites try to redirect or reload the page. An inconvenience,
but could protect against unexpected and potentially malicious
redirects.
You may want to enable the following NoScript settings, I'm not sure
exactly what they are, but it appears that even sites explicitly
marked as 'untrusted' are allowed to make use of some things that
could compromise security.
NoScript>Advanced>Untrusted>Forbid bookmarklets
NoScript>Forbid META redirections inside elements
There are also a few more about:config settings that concern me
somewhat.
network.http.use-cache is set to true. I don't know if there is any
risk with this, but it may be safer to disable it.
browser.fixup.alternate.enabled is set to true. Again, I don't know
if there is any risk. I just know that it attempts to 'fix' URLs,
perhaps that could result in the browser redirecting to the wrong
website?
capability.policy.maonoscript.javascript.enabled is set to allAccess.
I don't know what this means, and it only appeared in about:config
options very recently, but allAccess sounds suspicious.
extensions.torbutton.saved.geo_enabled is set to true. Again, not
sure what it means, and I haven't been able to find out after doing a
web search. Anything related to geolocation being potentially enabled
is reason for concern. Maybe this setting is harmless, I don't know
what it does.
browser.geolocation.warning.infoURL is set to
https://www.mozilla.org/%LOCALE%/firefox/geolocation/. To my
understanding this is just related to warning users or something like
that, so I doubt it's an issue, but anything related to geolocation
that isn't completely disabled concerns me.
OCSP validation may be reason for concern. I know almost nothing
about it, but another Tor user posted on a discussion board that
having OCSP validation enabled
(Edit>Preferences>Advanced>Certificates>Validation) presents a
security risk. It seems to me that it validates certificates and
could therefore be good, but I don't know. It's probably fine the way
it is, but I'm mentioning it just because someone else expressed
concern with it at one point.
Lastly, to ensure that some of the modifications work, the security
test on ip-check.info is a good tool, though I assume you are aware
of it. It's what I used to confirm that the about:config setting
successfully disabled websites from viewing installed fonts. It could
be useful to determine that certain changes made actually work and
that they don't result in more problems.
Thank you for taking the time to read this and for considering
implementing the aforementioned changes, and thank you for all of the
work you put into developing and maintaining Tor and Tor Browser. I'm
far from an expert on this subject so some of my suggested changes
are probably pointless, and some may even be harmful (if any are
harmful, please let me know so I know not to make those changes in my
own browser), but I believe that at least some of my suggestions
(especially disabling scripts, fonts, and referrer headers) are very
important changes to make in future releases of Tor Browser.
More information about the tor-talk
mailing list