add Tor Browser first startup popup to ask whether security slider should be set to safest

Work on SecBrowser inspired me.

We could have a copy of /usr/bin/torbrowser (by Whonix developers):

• desktop file (start menu entry)
• a wrapper around /usr/bin/torbrowser (called /usr/bin/hardened-torbrowser or so) that sets an environment variable TBB_HARDENING=true or so which then results in copying the settings file which sets the security slider to the highest setting by default.

Users could choose in start menu:

• [1] maximum security Tor Browser (AnonDist), and
• [2] maximum usability Tor Browser (AnonDist).

Currently there is only one start menu entry [3] Tor Browser (AnonDist).

Above three names are awful. AnonDist never really took off. But for legal reasons we must somehow we need to make clear that this starter

is produced independently from the Tor® anonymity software and carries no guarantee from The Tor Project about quality, suitability or anything else.

Better naming suggestions for the start menu entries welcome!

One goal is, [1] should start with an earlier alphabetic letter than [2] so it is higher placed in start menu.

As for the actual settings file, how to technically implement this, what kind of settings file would be required for this is not known yet. See this this post and thread for discussion: SecBrowser: A Security-hardened, Non-anonymous Browser

Reference Security Slider:

• https://www.whonix.org/wiki/Tor_Browser#Security_Slider
• https://www.whonix.org/wiki/Tor_Browser/Advanced_Users#Security_Slider_Design

Implementation is still unclear to me.

The problem is, there is probably little point to alternate in a single VM from [1] to [2] and vice versa. In theory, ever starting [2] in the same VM messed up the “theoretic security level” of that VM (or at least of that browser profile).

approach [A]:

two distinct folders

• ~/.tb/tor-browser
• ~/.tb/hardened-tor-browser

Wasteful in disk space.

Not messing up “theoretic security level” of that browser profile (assumes apparmor would contain it) but of the VM.

approach [B]:

• Once [1] was ever started, set a state file which prevents [2] from ever starting to avoid mistakes?
• Once [1] was ever started, remove start menu entry for [2]?

And vice versa?

• Once [2] was ever started, set a state file which prevents [1] from ever starting to avoid mistakes?
• Once [2] was ever started, remove start menu entry for [1]?

Will the security level be locked, or could the user still change it? if unlocked, and those are only defaults, user lower the slider of the “security focused” to lowest level when he moves to a site that requires it or change the slider of the “usability focused” to the highest, instead of moving from one browser to another (read: the distinction between the browsers is too easy for user to break by mistake). If changed, will the last state be saved? if so, then the names won’t mean much anymore. If it won’t, we change functionality of Tor browser.

I think changing menu items or blocking them based on first click may seem peculiar (where did this menu item go? I am sure it was here just a second ago…).

I never understood the Tor browser naming in Whonix. In the menu, we have both “Web Browser (browse the web)” and “Tor Browser (Anondist)”. At the task bar it’s “Web Browser (browse the web)”. The window caption in both cases is “Tor Browser”.

Indeed this would cause some concerned confusion.

Not locked. User could still change. I don’t intent to add restrictions or any modifications inside Tor Browser.

• artificial restriction are bad
• not easy to implement even if I wanted I am not sure I could implement in reasonable time

I see. So someone who started [1], changes settings and then starts [1] again might expect being back to maximum security settings, which would not be the case.

On reflection the two start menu entries approach seems weird indeed.

Indeed.

It’s explained in the original post.

approach [C]:

• Keep the usual singular start menu entry for Tor Browser but on first start of Tor Browser ask the user something like this (wording suggestion welcome):

Window title:

First start of Tor Browser (AnonDist) - Security vs Usability Trade-off

Window content:

Would you like to start Tor Browser with its security slider setting set to maximum?

This would provider better security at expense of worse usability.

…

Question:

Yes|No

[default no]

I will edit this post with better text. Will lend/rewrite text from https://www.whonix.org/wiki/Tor_Browser#Security_vs_Usability_Trade-off

Disadvantage: this question could be nagging in Qubes-Whonix DispVMs. For partial relief, see below.

It would be very easy (and would definitely be implemented) to allow users to preseed (answer preemptively) this question with an settings that could be put into a drop-in config file.

Excellent feature in my opinion, assists in remembering to take care of this option when setting up a new VM.

Whonix Browser? We’ve already decided that the Whonix brand is exclusively anonymity related and so we’re not putting it on any hardened (but non-anonymous) products’ labels. The homepage disclaimer should then cover the warrnaty disclaimer stuff.

Since we are not modifying the core code or functionality in any way I don’t think we should go the extra mile of new icons for this version, unlike SecBrowser.

Thanks to @0brand figured that out in this post TODO research and document - How to use Tor Browser for security not anonymity? How to use TBB using clearnet? …

… this is now implemented.

And will come later through upgrades.

First Start of Tor Browser (AnonDist) - Security vs Usability Trade-off

In the stock Tor Browser configuration, JavaScript is enabled by default for greater usability. The Tor Project provides a rationale for this decision.

The producers of Tor Browser decided the security slider setting to be set to “Standard” by default. Quote Tor Browser Manual:

You can further increase your security by choosing to disable certain web features that can be used to attack your security and anonymity. You can do this by increasing Tor Browser’s Security Settings in the shield menu. Increasing Tor Browser’s security level will stop some web pages from functioning properly, so you should weigh your security needs against the degree of usability you require.
This popup question does not restrict your freedom to change security slider settings at any time.

Responsible for this popup question is Tor Browser Starter by Whonix developers. It is an usability feature, which might break in future. Therefore the user is advised to verify that the security slider has the expected setting. Please donate!

Preseeding:

It is possible to avoid this popup question by preseeding the answer to it. For that create a file /etc/torbrowser.d/50_user.conf with the follow contents, if you want to answer “Yes”.

tb_security_slider_safest=true
Or if you want to answer “No”.
tb_security_slider_safest=false

Technical Details:

This script is: /usr/bin/torbrowser
Function: tb_security_slider
All this would do is copying file /usr/share/torbrowser/security-slider-highest.js to /var/cache/tb-binary/.tb/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/user.js.
cp /usr/share/torbrowser/security-slider-highest.js /var/cache/tb-binary/.tb/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/user.js

Set Tor Browser Security Slider to Safest?

Perhaps the following deserves another thread but this is still somewhat related.

Increased security may also include disabling resize of Tor Browser. Is it something that can be included here or considered modifications inside Tor Browser?

Indeed. Should be reported to, and fixed upstream in Tor Browser.