I was wondering about setting up the security level in Tor browser settings. If it is even necessary in my case. I found out that Safest breaks most websites so I am not able to use that.
Taking a look at Safest, it says that it 1. disables Java on non HTTPS sites, 2. disables some fonts and math symbols, and 3. audio and media and WebGL are click to play.
As I have HTTPS only mode enabled in all windows, the first point seems not to be necessary, right?
Now, I am having a persistent Tor browser identity because I keep using the same accounts, have a browser extension installed and so on. Meaning, I stand out. And that is okay as long as my real identity is not revealed. I think it is called pseudo anonymity.
So, does point 2 and 3 matter at all for me if it is obvious anyway that it is the same person who controls certain accounts?
In my eyes, the only thing that matters is not to reveal my real identity and I do not have to worry about those two points as they only matter for people who want to have a small fingerprint. In my case though, my fingerprint does not matter at all because I stand out anyway, which does not endanger my anonymity, or pseudo anonymity anyway.
Therefore, it does not matter if my security level is Standard or Safer.
Am I correct here or am I forgetting anything? What are your thoughts?
The only further threat I could imagine is revealing a connection between several VMs when using them. Could it be relevant here?
Websites might be malicious or compromised and attack users. Therefore hardening makes sense either way. HTTPS only encrypts the transport layer. That is mostly useful as long as the website does not attack users.
I still do not understand why disabling Javascript on non HTTPS websites is necessary if I have always HTTPS mode enabled and therefore cannot even visit non HTTPS websites?
So, leaving certain fonts and math symbols, automatic audio and media and WebGL enabled on my different VMs could lead to a correlation between those, and therefore it is still recommended to use Safer and not Standard. Is that right?
Keep in mind that correlations between activities in the same VM is not relevant for me as I am pseudonymous, so the only thing that matters for me is correlations between my VMs.
Because JavaScript is an additional feature, a complex programming language that requires thousands of lines of browser code to interpret where could be vulnerabilities which allow remote code execution.
A specifically crafted website can exploit the browser if the website has access to an exploit. Requires a vulnerability known to the website. Transfer over http or https is no relevant difference with regards to remote code execution attack surface.
Leaving WebGL enabled is just as risky as having Javascript enabled.
Also in Safest mode Javascript is not completely blocked either. you got more things to worry about
Might explain your findings? According to Tor Browser documentation:
Safest Javascript is disabled by default on all sites; some fonts, icons, math symbols, and images are disabled; audio and video (HTML5 media) are click-to-play.
“Risky” in what sense? Are you actually referring to revealing a correlation between my different VMs or what threats are you referring to when saying risky?
The thing I mean is that Javascript is only disabled on non HTTPS sites but I cannot visit non HTTPS sites anyway because of my settings, so what difference does it make in the end?
Of interest I researched the implementation of the ‘Safer’ security-level that also compels disablement of JIT. Makes exploitation of the browser using the JavaScript engine much harder with the cost of some performance. Do not know how it implicates fingerprinting.
The concern over JavaScript ‘not being fully disabled’ under the ‘Safest’ security-level perhaps may have something to do with the fact the method being used relies on the NoScript add-on. There was an incident back in 2019 where a Mozilla code-signing certificate expired and as a implication all add-ons in Firefox and Tor Browser disabled themselves as part of an perhaps overzealous security precaution. Sadly I do not know if Mozilla or Tor Browser developers implemented any mitigations against this possibly reoccurring in future.
In general this probably is a good thing.
Disabling JavaScript via browser flag otherwise would make Tor Browser users more distinguishable from normal users, which most certainly have JS enabled.
Not sure, how likely an expiration of certificates will be in the future, but that’s sounds rather neglectable. Tor Browser already has to rely on Mozilla organization in regard to Firefox/browser architecture. Certificates at least are responsibility of the same organization, hence no further dependency is introduced.
Perhaps. The next question is if the implementation of the ‘Safest’ security-level can be distinguished to disabling JavaScript globally with the browser flag. However if it is the same that kind of makes it a small point.
Not sure, how likely an expiration of certificates will be in the future, but that’s sounds rather neglectable. Tor Browser already has to rely on Mozilla organization in regard to Firefox/browser architecture
Can understand that viewpoint but it seems rather alarming that a critical functionality as used by Tor Browser did not ‘fail-close’ leaving users potentially vulnerable to certain attacks. Do not know if Tor Browser developers implemented further mitigations after said incident.
