OK - will add those points soon.
We could probably add entr0py’s recommendation to:
- Store all login credentials and passwords in an offline vault VM (in a password manager?), and only using Qube’s secure cut and paste into Tor Browser.
Also:
- Select ‘Clearclick’ and ABE (Applications Boundary Enforcer) protections in NoScript which are not enforced under default TB settings (due to some known bugs on certain websites);
- Never type directly into Tor Browser to avoid typing profiling i.e. use a text editor in an offline VM and cut and paste into Tor Browser; and
- Run Tor Browser in the highest security slider position and only sparingly allow Javascript for trusted sites**
I think the last two points are already mentioned somewhere in the documentation.
** Analysis of the SVG exploit just patched in Firefox shows this would have provided protection against exploitation.