Tor Browser Security Level

Having an intermittent problem with the Tor Browser. Currently my Security Level setting level is shown as “Safest”. However, when I run and IP check from it shows that Javascript is enabled. The icon on the browser taskbar is all black. When I tested my browser with the Whonix Forum, I can see javascript is indeed enabled.

I seem to recall during one of the Whonix upgrades I received a message about how Tor Browser’s security level settings by default would be set to safest when opening. This is different from the default settings for Tor Browser. Was this a change initiated by Whonix?

The problem is intermittent. Sometimes when Tor Browser opens, and I do an IP Check, it shows javascript as disabled, with the Security Level setting at Safest. Yet other times, with the Security Level at that same setting, running an IP check at shows javascript still enabled. Is this a Whonix issue or do I need to maybe create a bug report over at Tor? Sorry for my confusion here.

Just to add, I am now running the tester version in KVM, but before I installed it, I was using an older, but updated version of Whonix 15 and I was seeing the same issue. I have noticed this for about a week or two recently. Definitely a security concern.

This is what the popup is saying, see this post: add Tor Browser first startup popup to ask whether security slider should be set to safest - #9 by Patrick

Most important quote:

All this would do is copying file /usr/share/torbrowser/security-slider-highest.js to ~/.tb/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/user.js.

cp /usr/share/torbrowser/security-slider-highest.js ~/.tb/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/user.js

This is the related source code:
tb-starter/torbrowser at e86a794ceb21f16acdce2a7d7c34e3214612d51c · Kicksecure/tb-starter · GitHub

To look at that file:

cat ~/.tb/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/user.js

To undo what this file is doing, just delete that file:

rm ~/.tb/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/user.js

To not have this changer ever applied, click “No” when this popup appears. (Requires a new Whonix VM or Tor Browser re-installation.)

Whonix ™ Tor Browser Differences:
Tor Browser Essentials

Please learn about: Tor Browser Functionality on Different Platforms:
Tor Browser Essentials

Then please try to reproduce this in on a plain Debian VM. Such as a Debian buster VM.
Non-Whonix. I.e. outside of Whonix. If the bug is reproducible there too, it should be reported to The Tor Project.

1 Like