I’ve messed around with this before, and yes it does. You can test by looking to see if some of these about:config settings are set https://2019.www.torproject.org/projects/torbrowser/design/#other-security
- High … and disables SVG images ( svg.in-content.enabled ).
Does not work.
I speculate that
usingthe security slider in an interactive (manual) way makes it do things. However,
startingwith security slider pref set to high does not make the security slider do things. The pref only tells the security slider how it should visually appear but it does not seem to (fully) call the function which does things.
I think svg.in-content.enabled isn’t used anymore. Setting the security slider to high manually doesn’t change that pref for me but it does change svg.disabled to true.
File location moved.
new file location:
I stand corrected. Looks like setting the slider to Safest “after” first start can cause prefs not to sync properly. When adding prefs to /usr/share/tb-updater/tb_without_tor_settings.js (setting prefs at first boot) NoScript and about:config “visually appear” to work as expected. Meaning NoScript sycs with security slider and about:config prefs are togled as expected.
Fixed by commit 38a59e819604de5018db5db54fb08fd9e1581d1f. Please open a new ticket for the Tor Launcher issue if you wish.
Is this essentially a revisit of the same issue or would fixing Tor Launcher work as well?
environment variable to skip TorButton control port verification https://trac.torproject.org/projects/tor/ticket/13079 was an enhancement request which was implemented. Please reference this ticket when writing a bug report. Now this feature broke, so I think it’s correct to create a bug report?
The bug could also be a big different. If I remember fight, previously I think this is still a torbutton, not tor-launcher feature. Upstream will require instructions how to reproduce this issue on Debian, i.e. which environment variables set. This presupposes packages tb-updater / tb-starter not being installed and reproduced on plain Debian.
Please open a new ticket for the Tor Launcher issue if you wish. Just a minor code style issue: checking existence of environment variable vs checking the value of an environment variable. Not worth a report.
No bug report needed. I found a solution. Will post soon.
Since editing Qubes documented is rather cumbersome(?), what about leaving wiki page https://www.whonix.org/wiki/SecBrowser at Whonix wiki where each of us can edit easily and only submitting a stub to Qubes documentation?
Patrick via Whonix Forum:
Since editing Qubes documented is rather cumbersome(?), what about
leaving wiki page https://www.whonix.org/wiki/SecBrowser at Whonix wiki
where each of us can edit easily and only submitting a stub to Qubes
Thats a great idea. I can put together SecBrowser basics and the
benefits of using SecBrowser as per https://2019.www.torproject.org/projects/torbrowser/design/, Security Slider etc. Gather fingerprint stats from https://browserprint.info/ and https://panopticlick.eff.org/ . The former because https://www.qubes-os.org/doc/w3m/ uses that test and mentions that the w3w browser has a fingerprint that stands out from Tor Browser i.e stands out in a crowd. I just tested SecBrowser default settings. Much better than expected
Within our dataset of several hundred thousand visitors tested in the
past 45 days, one in 76.46 browsers have the same fingerprint as yours.
Currently, we estimate that your browser has a fingerprint that conveys
6.26 bits of identifying information.
Just to be clear, no configuration instructions?
Yes. (Since these are a moving target more easily edited in Whonix wiki.)
I consider this “bonus” too.
If there is something regarding security benefits we don’t have listed at https://www.whonix.org/wiki/SecBrowser yet that would be very cool to have indeed.
Adding that to Qubes website, well, feel free, I consider it bonus too.
Not having a strong opinion either way. There is artistic freedom and many great ways of doing this. Just an idea to reduce cumbersomeness of editing.
In SecBrowser#Download_Alpha_Versions users are given instruction on how to install and/or user multiple text editors. However,
gedit preempts that a little further up the page. I thinkk its necessary to show new users how to use a text editor but I’m not a big fan of adding those secondary instructions to the page. I think it adds clutter and to some extent confusion for beginners.
Private Browsing Mode
lxsu mousepad /etc/secbrowser.d/50_user.conf gksudo gedit /etc/secbrowser.d/50_user.conf sudoedit /etc/secbrowser.d/50_user.conf
Google Season of Docs should solve this with clickable icons that link to the corresponding man pages.
@0brand the fpcentral site is a better test for browser fingerprint because it measures differences between versions in the TBB family exclusively compared to panopticlick which has browsers from all over the place.
Once https://github.com/netblue30/firejail/issues/2863 is sorted, firejailing SecBrowser by default is an option when firejail is installed (which will be the case in “hardened debian”).
(For Tor Browser in Whonix, perhaps another first start popup.)
Made minor changes to SecBrowser local homepage. Wiki page enhancements (download alpha versions, firejail, hardened-malloc).
Could you please modify/split https://www.whonix.org/wiki/SecBrowser for use in Debian (based) distributions vs Qubes Debian templates? Not sure if best modified or split and/or using wiki templates?
Little Qubes specific. Should work well in Debian (based) too.
SecBrowser will keep growing so splitting with templates is the best option imo. I’ll get that sorted out.
SecBrowser has been split into 2 pages.