whonix-15 TB in dvm on Safest has whitelisted sites in NoScript by default
36 views
Skip to first unread message
scurge1tl
Sep 17, 2019, 3:34:34 AM9/17/19
to qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi,
Current behavior:
- - start TB in a whonix-15-dvm AppVM (Q -> whonix-ws-15-dvm -> Tor
Browser (Anon Dist)
- - set Advanced security settings on Safest (click Yes)
- - about:addons -> NoScript Preferences -> Per-site Permissions
- - there are plenty of whitelisted sites like google.com,
microsoft.com, passport.com, afx.ms and many others.
This behavior is whonix-ws-15-dvm specific. I don't see this behavior
in anon-whonix (no whitelisted sites on Safest).
Expected behavior:
I believe that on Safest settings the TB shouldn't have any sites
whitelisted by default.
I tried to reinstall the whonix-15-dvm but it doesn't help. The
whitelisted sites are still there in the popped up dvm.
Can others please check if they have the same issue?
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEExlmPb5HoPUTt+CQT44JZDAWK6UwFAl2AjGVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEM2
NTk4RjZGOTFFODNENDRFREY4MjQxM0UzODI1OTBDMDU4QUU5NEMACgkQ44JZDAWK
6UxlLA//aJgx+14d7omw2O4aMIZzY+KWGA8dwePEt61O/p1rNuJo+Bb1w83vLwrD
g0xULHyun4jf0EIdI59og+AXuL77yIEbUMtBr98QeB1PZwvtsGK2Kbzm1GwbPTif
4S7ZRlwhq9gcPmq0DCbkguEzF3nHcLuOa2rNIQhe7s79Mugx2uYIjC/y9p6U3yyf
qEpzwxs392lNW8fkiR4wdE5qOPIHkxSMpqGekS/sh5Xoqc1GdKrzccsyALqzRV+Q
G7ymCDTGc96ROoUg6az71XmpmZB5hx87c1k63LYj3aBi/8ijkdyx+0fwoaarsGND
zcPiqyyJSq7l9qso7PgpcIiSezL+TjWA58R99YYUwl1+ZM2ngEtaeTsyR0Kj7z6H
wdu6ixvvFb4cCoVEMibdDaapT2iFKsFYCgI/8NOuHuUI8TWeNDS7+CKLSJ7UXZM/
T2RBGTORvDN7JzSv8TynWZoiSaekst9g0HmlUd/JbKqkL8OFC7rRgwa0DKzpXj/D
DFiHXkJiuj/OWeH47uViw3asz9c6w5N62Jjte/jo1KepsBfQBC+BgZIZBoap+dyF
jfWwis/39eAcGIExU1Yvy+W6fMZq6Exz6gKmh89GaTFUKnP+DsMZp2XcEe/tNnor
e8BzMrWgrirKUCtBf0Qlj8TILY0oBw/f/JLugc3RVq29zTZZna8=
=YeAi
-----END PGP SIGNATURE-----
Hash: SHA512
Hi,
Current behavior:
- - start TB in a whonix-15-dvm AppVM (Q -> whonix-ws-15-dvm -> Tor
Browser (Anon Dist)
- - set Advanced security settings on Safest (click Yes)
- - about:addons -> NoScript Preferences -> Per-site Permissions
- - there are plenty of whitelisted sites like google.com,
microsoft.com, passport.com, afx.ms and many others.
This behavior is whonix-ws-15-dvm specific. I don't see this behavior
in anon-whonix (no whitelisted sites on Safest).
Expected behavior:
I believe that on Safest settings the TB shouldn't have any sites
whitelisted by default.
I tried to reinstall the whonix-15-dvm but it doesn't help. The
whitelisted sites are still there in the popped up dvm.
Can others please check if they have the same issue?
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEExlmPb5HoPUTt+CQT44JZDAWK6UwFAl2AjGVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEM2
NTk4RjZGOTFFODNENDRFREY4MjQxM0UzODI1OTBDMDU4QUU5NEMACgkQ44JZDAWK
6UxlLA//aJgx+14d7omw2O4aMIZzY+KWGA8dwePEt61O/p1rNuJo+Bb1w83vLwrD
g0xULHyun4jf0EIdI59og+AXuL77yIEbUMtBr98QeB1PZwvtsGK2Kbzm1GwbPTif
4S7ZRlwhq9gcPmq0DCbkguEzF3nHcLuOa2rNIQhe7s79Mugx2uYIjC/y9p6U3yyf
qEpzwxs392lNW8fkiR4wdE5qOPIHkxSMpqGekS/sh5Xoqc1GdKrzccsyALqzRV+Q
G7ymCDTGc96ROoUg6az71XmpmZB5hx87c1k63LYj3aBi/8ijkdyx+0fwoaarsGND
zcPiqyyJSq7l9qso7PgpcIiSezL+TjWA58R99YYUwl1+ZM2ngEtaeTsyR0Kj7z6H
wdu6ixvvFb4cCoVEMibdDaapT2iFKsFYCgI/8NOuHuUI8TWeNDS7+CKLSJ7UXZM/
T2RBGTORvDN7JzSv8TynWZoiSaekst9g0HmlUd/JbKqkL8OFC7rRgwa0DKzpXj/D
DFiHXkJiuj/OWeH47uViw3asz9c6w5N62Jjte/jo1KepsBfQBC+BgZIZBoap+dyF
jfWwis/39eAcGIExU1Yvy+W6fMZq6Exz6gKmh89GaTFUKnP+DsMZp2XcEe/tNnor
e8BzMrWgrirKUCtBf0Qlj8TILY0oBw/f/JLugc3RVq29zTZZna8=
=YeAi
-----END PGP SIGNATURE-----
Patrick Schleizer
Sep 19, 2019, 4:15:57 AM9/19/19
to qubes...@googlegroups.com, Whonix-devel
Whonix source code doesn't write literally googlevideo, netflix,
outlook, etc. anywhere. It does not do anything to give special
treatment to any websites.
By policy, for simplicity, clean implementation and whatnot, the
"inside" of Tor Browser isn't modified by Whonix. This is elaborated here:
https://www.whonix.org/wiki/FAQ#Does_Whonix_Change_Default_Tor_Browser_Settings.3F
Tor Browser upstream issue. Bug report written just now.
wipe all mentions of netflix, paypal, youtube, ... from noscript in Tor
Browser
https://trac.torproject.org/projects/tor/ticket/31798
See also:
https://www.helpnetsecurity.com/2015/07/01/researchers-point-out-the-holes-in-noscripts-default-whitelist/
https://thehackerblog.com/the-noscript-misnomer-why-should-i-trust-vjs-zendcdn-net/
From noscript FAQ:
Q: What websites are in the default whitelist and
https://noscript.net/faq#qa1_5
Q: What is a trusted site?
https://noscript.net/faq#qa1_11
Whonix forum discussion:
https://forums.whonix.org/t/noscript-with-security-slider-at-safest-permits-around-30-sites/8160
Cheers,
Patrick
outlook, etc. anywhere. It does not do anything to give special
treatment to any websites.
By policy, for simplicity, clean implementation and whatnot, the
"inside" of Tor Browser isn't modified by Whonix. This is elaborated here:
https://www.whonix.org/wiki/FAQ#Does_Whonix_Change_Default_Tor_Browser_Settings.3F
Tor Browser upstream issue. Bug report written just now.
wipe all mentions of netflix, paypal, youtube, ... from noscript in Tor
Browser
https://trac.torproject.org/projects/tor/ticket/31798
See also:
https://www.helpnetsecurity.com/2015/07/01/researchers-point-out-the-holes-in-noscripts-default-whitelist/
https://thehackerblog.com/the-noscript-misnomer-why-should-i-trust-vjs-zendcdn-net/
From noscript FAQ:
Q: What websites are in the default whitelist and
https://noscript.net/faq#qa1_5
Q: What is a trusted site?
https://noscript.net/faq#qa1_11
Whonix forum discussion:
https://forums.whonix.org/t/noscript-with-security-slider-at-safest-permits-around-30-sites/8160
Cheers,
Patrick
scurge1tl
Sep 19, 2019, 11:50:56 AM9/19/19
to Patrick Schleizer, qubes...@googlegroups.com, Whonix-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Patrick Schleizer:
Hash: SHA512
> Whonix source code doesn't write literally googlevideo, netflix,
> outlook, etc. anywhere. It does not do anything to give special
> treatment to any websites.
>
> By policy, for simplicity, clean implementation and whatnot, the
> "inside" of Tor Browser isn't modified by Whonix. This is
> elaborated here:
>
> https://www.whonix.org/wiki/FAQ#Does_Whonix_Change_Default_Tor_Browser
_Settings.3F
>
> Tor Browser upstream issue. Bug report written just now.
>
> wipe all mentions of netflix, paypal, youtube, ... from noscript in
> Tor Browser
>
> https://trac.torproject.org/projects/tor/ticket/31798
>
> See also:
>
> https://www.helpnetsecurity.com/2015/07/01/researchers-point-out-the-h
oles-in-noscripts-default-whitelist/
>
>
> https://thehackerblog.com/the-noscript-misnomer-why-should-i-trust-vjs
- -zendcdn-net/
> outlook, etc. anywhere. It does not do anything to give special
> treatment to any websites.
>
> By policy, for simplicity, clean implementation and whatnot, the
> "inside" of Tor Browser isn't modified by Whonix. This is
> elaborated here:
>
> https://www.whonix.org/wiki/FAQ#Does_Whonix_Change_Default_Tor_Browser
_Settings.3F
>
> Tor Browser upstream issue. Bug report written just now.
>
> wipe all mentions of netflix, paypal, youtube, ... from noscript in
> Tor Browser
>
> https://trac.torproject.org/projects/tor/ticket/31798
>
> See also:
>
> https://www.helpnetsecurity.com/2015/07/01/researchers-point-out-the-h
oles-in-noscripts-default-whitelist/
>
>
> https://thehackerblog.com/the-noscript-misnomer-why-should-i-trust-vjs
>
>
>> From noscript FAQ:
>
> Q: What websites are in the default whitelist and
>
> https://noscript.net/faq#qa1_5
>
> Q: What is a trusted site?
>
> https://noscript.net/faq#qa1_11
>
> Whonix forum discussion:
>
> https://forums.whonix.org/t/noscript-with-security-slider-at-safest-pe
rmits-around-30-sites/8160
>
> Cheers, Patrick
>
Hello Patrick, thank you for the reaction.
>
>> From noscript FAQ:
>
> Q: What websites are in the default whitelist and
>
> https://noscript.net/faq#qa1_5
>
> Q: What is a trusted site?
>
> https://noscript.net/faq#qa1_11
>
> Whonix forum discussion:
>
> https://forums.whonix.org/t/noscript-with-security-slider-at-safest-pe
rmits-around-30-sites/8160
>
> Cheers, Patrick
>
Just shortly: Tails fresh install 3.16 or 4.0-beta TB don't have this
issue. Even it starts on "Standard" by default of course. Fresh
install of TBB on win7 doesn't have the issue. It seems to be
qubes-whonix (dont know how is ti in non-qubes-whonix) specific for
some reason.
I believe that if one sets the security setting to "Safest", she for
sure didn't meant to be tracked by entities like google, youtube,
microsoft, yahoo, paypal and others - the worst surveillance
capitalists on this planet.
Interesting is that the issue with the whitelist can be easily
"solved" just by clicking on the Standard security setting and than
again back to the Safest -> no "Trusted" websites anymore, zero. Can
you please check deeper on this issue? Thank you!
Weird ^^
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEExlmPb5HoPUTt+CQT44JZDAWK6UwFAl2Do7VfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEM2
NTk4RjZGOTFFODNENDRFREY4MjQxM0UzODI1OTBDMDU4QUU5NEMACgkQ44JZDAWK
6Uyy+hAAgDc4f/iwLGoTfQKaAX8xcpiaKWEd+p032laJ8rKdSIB6Kd5JG3bBYSGh
iHY5MeAZene44f3DyloDcny6Kv6ibw31/877sIVNDWKIQQQi/rtfkVT+nyp1Bb+5
32xrh+u+MhTIKbBjYCjyy+E5F1fVWK1Q3+dBApLHWsJxseeAON1lL41dH63fP4zX
ApSoOmvJM3fiLZGgPYA2zr/W4VzSTmWag5pp27X4r2rMPpoonZghFv5B+IjixhHX
tTntE+cfxTXqkoNwLY/upsJeXLoFgWr4ss7FQ3OfDE7X743fbu2Y3j857rPSPs00
V2eArJjxh5a2pwmrZcFzW+KN30CHIAXRplIt5/k2Nfa+UcHfkPlZOsZlGXBtVba2
AofLm/OlGjqupgFMpIwDcwP+zHEIGrN/HTyr61GAozInK4A1YU7+Q0Jz+b0fJl8j
927uxdZVFE9JZXpF8YmO7pMrTcAwfo7fqV9/tfjEkvm6EtvlNdt5FLPRGLF4QGMI
tH7ovKxRedvdHRLp+81CqLjxn8R5zkdnoZzNMOfWN/Q5NtETNOLxWiRPKt6iLg4l
qW07ICAkQYJaVDTVKfH49CrKRWZF88f+I2s+/6AVUivvuPAM/n8p64ABsGyS5e+h
QgRIhBZbIvu+6kGxSWQkftKTwTuQHn24JFPM2jIQgaO1g9stTwg=
=Vqtn
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages