Noscript with Security Slider at Safest permits around 30 sites

awokd · September 18, 2019, 7:16pm

Saw a couple others report this in qubes-users, but wasn’t able to recreate at the time. However, today I am seeing the same thing. Have /etc/torbrowser.d/50_user.conf with tb_security_slider_safest=true in whonix-ws-15. DispVMs start correctly without a prompt and the slider showing Safest in toolbar and Firefox advanced security settings. However, looking at Noscript Settings/Per Site Permissions I see around 30 sites listed as trusted like googlevideo.com, netflix.com, outlook.com, etc. If I am reading the APT logs right, packages I had upgraded in whonix-ws-15 since my first test (that showed 0 sites) are:

xenstore-utils 2001:4.8.5-10+deb10u1
xen-utils-common 2001:4.8.5-10+deb10u1
tb-updater 3.12.8-1
libxenstore3.0 2001:4.8.5-10+deb10u1
libxen-4.8 2001:4.8.5-10+deb10u1
thunderbird 1:60.9.0-1~deb10u1

But I don’t know if that has anything to do with it. I am pretty sure Noscript is still the same version as when I was testing- 11.0.3. Changing the security slider to something else, then back to Safest results in 0 sites listed.

Patrick_mobile · September 19, 2019, 7:11am

Whonix source code doesn’t write literally googlevideo, netflix, outlook, etc. anywhere. It does not do anything to give special treatment to any websites.

By policy, for simplicity, clean implementation and whatnot, the “inside” of Tor Browser isn’t modified by Whonix. This is elaborated here:

Frequently Asked Questions - Whonix ™ FAQ

Therefore this is most likely an issue caused by Tor Browser.

Can you find these textual strings (such as netflix) in Tor Browser, noscript or noscript fork by Tor Browser (if that exists) source code or binary?

Could you please try to reproduce this issue with Tor Browser in Debian?

You might have to copy over the security slider maximum settings file.

Patrick · September 19, 2019, 8:06am

Tor Browser upstream issue. Bug report written just now.

wipe all mentions of netflix, paypal, youtube, … from noscript in Tor Browser

From noscript FAQ:

Q: What websites are in the default whitelist and why?

Q: What is a trusted site?

Patrick · September 19, 2019, 11:27am

noscript [feature request] environment variable to clear default whitelist

awokd · September 19, 2019, 12:24pm

Thank you for submitting that Noscript feature request. I know it’s not necessarily Whonix code where that list is coming from, but didn’t get how it was showing 0 sites a few days ago and now all 30, or why changing the slider to something else and back again also clears it.

awokd · September 19, 2019, 1:16pm

I wonder if it’s a timing issue- if Noscript finishes initializing before the slider gets changed by some other code it works right, but the other way around does not? I’ll dig in the Noscript code too, maybe there is some way we can pare down that list.

awokd · September 20, 2019, 12:05am

Still not sure why the timing or plugin load order would have changed, but I figured out a workaround. Noscript stores its settings in .tb/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/storage-sync.sqlite. Like you found, it loads these with default sites on first start. I dumped the sqlite DB at this point (attached as “defaultsqllite.txt”). I then toggled the slider to Safer and back to Safest to erase the list, and dumped the DB again (“cleansqlite.txt”). I then copied the clean storage-sync.sqlite to my whonix-ws-15 template and put it in /var/cache/tb-binary/.tb/tor-browser/Browser/TorBrowser/Data/Browser/profile.default. Starting DispVMs now has an empty list, because Noscript doesn’t think it is doing a first start.

To automate this, we could dump a clean storage-sync.sqlite blob into master, but that would be irritating to maintain and audit. Would it be too much bloat to create that .sqlite on the fly at startup, using the statements from the “clean” file minus the https-everywhere-eff lines? That plugin should be able to initialize itself. The remaining statements may need occasional updates for new versions of Firefox or Noscript, but their internal upgrade logic should be able to interpret old data until the version difference gets too large.

Looks like it will only let me upload pictures here, not .txt. Should we take it to an issue?

Here are the relevant “default” lines anyways:

INSERT INTO collection_data VALUES('default/{73a6fe31-595d-460b-a920-fcc0f8843232}','key-policy','{"id":"key-policy","key":"policy","data":{"DEFAULT":{"capabilities":["frame","fetch","other"],"temp":false},"TRUSTED":{"capabilities":["script","object","media","frame","font","webgl","fetch","other"],"temp":false},"UNTRUSTED":{"capabilities":[],"temp":false},"sites":{"trusted":["§:addons.mozilla.org","§:afx.ms","§:ajax.aspnetcdn.com","§:ajax.googleapis.com","§:bootstrapcdn.com","§:code.jquery.com","§:firstdata.com","§:firstdata.lv","§:gfx.ms","§:google.com","§:googlevideo.com","§:gstatic.com","§:hotmail.com","§:live.com","§:live.net","§:maps.googleapis.com","§:mozilla.net","§:netflix.com","§:nflxext.com","§:nflximg.com","§:nflxvideo.net","§:noscript.net","§:outlook.com","§:passport.com","§:passport.net","§:passportimages.com","§:paypal.com","§:paypalobjects.com","§:securecode.com","§:securesuite.net","§:sfx.ms","§:tinymce.cachefly.net","§:wlxrs.com","§:yahoo.com","§:yahooapis.com","§:yimg.com","§:youtube.com","§:ytimg.com"],"untrusted":[],"custom":{}},"enforced":true,"autoAllowTop":false},"_status":"created"}');

And “clean”:

INSERT INTO collection_data VALUES('default/{73a6fe31-595d-460b-a920-fcc0f8843232}','key-sync','{"id":"key-sync","key":"sync","data":{"global":false,"xss":true,"cascadeRestrictions":true,"overrideTorBrowserPolicy":false,"clearclick":true,"storage":"sync"},"_status":"created"}');
INSERT INTO collection_data VALUES('default/{73a6fe31-595d-460b-a920-fcc0f8843232}','key-policy','{"id":"key-policy","key":"policy","data":{"DEFAULT":{"capabilities":["frame","other"],"temp":false},"TRUSTED":{"capabilities":["fetch","font","frame","media","object","other","script","webgl"],"temp":false},"UNTRUSTED":{"capabilities":["frame"],"temp":false},"sites":{"trusted":[],"untrusted":[],"custom":{}},"enforced":true,"autoAllowTop":false},"_status":"created"}');

Patrick · September 20, 2019, 10:40am

Too much inside browser modification. At least for now.

First of all, we need to get to the root of the issue.

Need to reproduce this on Debian and then reply to wipe all mentions of netflix, paypal, youtube, ... from noscript in Tor Browser (#31798) · Issues · Legacy / Trac · GitLab

Meanwhile it would be helpful to understand why those issues only happen in Whonix so far and get some steps to reproduce.

The reason is we can’t pile up more and more workarounds without even reporting the root causes to upstream.

awokd · September 20, 2019, 12:22pm

Having a more durable way to ask Noscript to first start cleanly would be nice.

I’m trying to reproduce in Debian 10. How did you bypass the connection wizard that comes up from torbrowser-launcher? I thought creating a torrc in the right place would do it.

Patrick · September 20, 2019, 12:24pm

specifically:

https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/usr/lib/anon-ws-disable-stacked-tor/torbrowser.sh

generally:

Patrick · September 20, 2019, 1:25pm

Some progress with reproduction on Debian was made:

Patrick · September 20, 2019, 2:19pm

Fixed in git.

https://github.com/Whonix/Whonix/commit/9fa062aafe9d3d8ad94aa6850225664f914174f0

Well, not really fixed since problematic code wipe all mentions of netflix, paypal, youtube, ... from noscript in Tor Browser (#31798) · Issues · Legacy / Trac · GitLab still exists in noscript and Tor Browser but put a band-aid on top so this race condition is no longer happening.

Now in Whonix developers repository. Will test more and migrate to other repositories soonish.

Patrick · September 20, 2019, 2:23pm

We don’t really understand the race condition yet either.

Somehow this isn’t an issue for SecBrowser even with local browser homepage.

Some combination of environment variables might be causing this.

Patrick · September 20, 2019, 2:27pm

Might be because I was testing with alpha version 9.0a6. So this might fix itself over time.

awokd · September 20, 2019, 8:07pm

so this race condition is no longer happening

Nice.

wipe all mentions of netflix, paypal, youtube, ... from noscript in Tor Browser (#31798) · Issues · Legacy / Trac · GitLab

I might be missing something in the reproduction steps, but shouldn’t there be something in there about setting the security slider to safest?

Patrick_mobile · September 21, 2019, 3:11am

Not forgotten. It has nothing to do with it.

Well, maybe there is another bug, an additional race condition where Tor Browser starts without noscript whitelist and then moving the security slider causes enabling the noscript security slider whitelist.

awokd · September 21, 2019, 1:29pm

Thanks, I think I get it now. Had the impression that default whitelist was supposed to be there if Tor Browser was started with the slider on Standard.

I submitted Don't create default whitelist if running in Tor Browser · Issue #102 · hackademix/noscript · GitHub which rephrased the Noscript request a bit.

Patrick · October 5, 2019, 11:20am

torjunkie · December 2, 2019, 8:45pm

Problem is unfortunately not fixed in the DispVM context if NoScript updates are available. To test:

Launch Tor Browser in DispVM.
Set security slider to safest with Whonix tool prompt.
Update add-ons that are available.
Check NoScript preferences and note that 30+ sites are set in the NoScript whitelist following update, despite security slider set to ‘Safest’

Only way to fix this is to play with the slider again after add-on updates i.e. set to Standard, and then set it back to Safest -> whitelisted sites are gone.

Patrick · December 3, 2019, 6:42am

It’s “fixed” in the alpha version of Tor Browser 9.5a2. Doesn’t happen there anymore. Probably since the race condition doesn’t happen there anymore.

Choosing yes or no there may not have any influence.