Whonix Tor Browser Starter safest setting fails

[b17b7bdb]

Setting tb_security_slider_safest=true (either by selecting Yes in the Tor Browser Starter screen or by creating a line in /etc/torbrowser.d/50_user.conf) does not result in the expected behavior.

Expected Behavior: 

- Shield icon is fully colored

- Security Level is set to Safest in about:preferences#privacy

- JavaScript is disabled by default on ALL sites

Actual Behavior:

- Shield icon is fully colored

- Security Level is set to Safest in about:preferences#privacy

- JavaScript is ALLOWED on selected sites. 

To view these sites click on the NoScript Preferences button in the about:addons page and then select the Per-Site Permissions tab.

[awokd]

'b17b7bdb' via qubes-users:

> Setting tb_security_slider_safest=true (either by selecting Yes in the Tor Browser Starter screen or by creating a line in /etc/torbrowser.d/50_user.conf) does not result in the expected behavior.

> Actual Behavior:
> - Shield icon is fully colored
> - Security Level is set to Safest in about:preferences#privacy
> - JavaScript is ALLOWED on selected sites.
> To view these sites click on the NoScript Preferences button in the about:addons page and then select the Per-Site Permissions tab.
>

When I do this in a fresh DispVM with the above setting, I see no sites
listed on the Per-Site Permissons tab. Are you using a disposable VM?

--
- don't top post
Mailing list etiquette:
- trim quoted reply to only relevant portions
- when possible, copy and paste text instead of screenshots

[b17b7bdb]

On 9/13/19 9:31 AM, 'awokd' via qubes-users wrote:> 'b17b7bdb' via qubes-users:

>> Setting tb_security_slider_safest=true (either by selecting Yes in the Tor Browser Starter screen or by creating a line in /etc/torbrowser.d/50_user.conf) does not result in the expected behavior.

>

>> Actual Behavior:

>> - Shield icon is fully colored

>> - Security Level is set to Safest in about:preferences#privacy

>> - JavaScript is ALLOWED on selected sites.

>> To view these sites click on the NoScript Preferences button in the about:addons page and then select the Per-Site Permissions tab.

>>

> When I do this in a fresh DispVM with the above setting, I see no sites

> listed on the Per-Site Permissons tab. Are you using a disposable VM?

>

That's correct.  I observed the same behavior in the Whonix DispVMs on two different machines, one of which is a fresh (and updated) install of R4.0.1.  Notably, if I manually set the security level to safer in about:preferences#privacy then the per-site permissions disappear. 

These permissions are clearly the default permissions included with no-script add-on.  For example, a variety of google, microsoft, yahoo, paypal, and netflix sites are default trusted, among others.

[awokd]

'b17b7bdb' via qubes-users:

We might be miscommunicating. I'm saying when I set
/etc/torbrowser.d/50_user.conf with tb_security_slider_safest=true and
start a new DispVM (on current-testing), I see zero sites listed. Did
you add the setting in whonix-ws-15 template? I tried it in the DVM
template first, but it didn't stick. I do see what you mean with about
30 sites listed when I start a DispVM (on a different client on current)
without that setting. Is your Tor Browser 8.5? Odd that you're
experiencing different behavior. Might want to mention on qubes-whonix
forum too.

[b17b7bdb]

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

> We might be miscommunicating. I'm saying when I set

> /etc/torbrowser.d/50_user.conf with tb_security_slider_safest=true and

> start a new DispVM (on current-testing), I see zero sites listed. Did

> you add the setting in whonix-ws-15 template? I tried it in the DVM

> template first, but it didn't stick. I do see what you mean with about

> 30 sites listed when I start a DispVM (on a different client on current)

> without that setting. Is your Tor Browser 8.5? Odd that you're

> experiencing different behavior. Might want to mention on qubes-whonix

> forum too.

>

Yes, I created /etc/torbrowser.d/50_user.conf in the whonix-ws-15 template and added the line tb_security_slider_safest=true, which persisted across all DispVMs.  Everything worked as expected, no TB starter window and js was disabled for all sites, except for the per-site permissions listed as trusted by no-script.  I observed the same behavior after commenting out the line and choosing yes in the starter window.  Both machines have TB 8.5.5 installed.  It is indeed surprising that we're observing different behaviors.

(Btw, my apologies if this creates another new thread.  Not sure how to get around this since I'm not able to respond directly in protonmail.)

[scurge1tl]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512



'awokd' via qubes-users:

Hi, I have the same issue. But I am now communicating with a guy in
the Whonix forum and if he starts his Whonix-15 dvm TB, he has no
whitelisted sites in the Per-site Permission on Safest. This issue
seems to be selective. We both have the 8.5.5 Firefox 60.9.0esr and I
didn't do any mods in whonix-15 templates. He doesn't have any
whitelisted sites on Safest and I do ^^

Can others please check the issue too and add their situation?
Thank you!

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEExlmPb5HoPUTt+CQT44JZDAWK6UwFAl1/NI1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEM2
NTk4RjZGOTFFODNENDRFREY4MjQxM0UzODI1OTBDMDU4QUU5NEMACgkQ44JZDAWK
6UxWLQ/+MWFyDFy9xKjBD9CmNSEY53CG8pf/5X122B4kggFn3yT+TJ79o4v1PyYM
Y2XkyjhmkxmC0q9U+MFEYIzE0evX2uLZOXWXqlH3UE0QN+DI5htUZR30QoAjB5dL
rdq+fNYtrvxsBY70GeoD39g5RqLPjnmye8rtogQFszp9ldiA5OJ4n5cOwB27lFUj
CT0Lk8F11o4FERhoff1F/Ff/2LSXJDcSMRRCuosG+Q4GgWw2d2pPiqXmeWUCamdH
UxlptUhTb/GvKLMGBQ7sBylk79q8MipVjPj3ZtVNi6pfhu4ZsDH5QZfiRAiIK1Kz
bTp13YVjuFOCHDYy5CeWoYrLxycMeqCt8yngHSvHYo5aPaxk0jf9x+CYvIpdYn5B
Sjn/z8+C8f3zLeERqq4q6jC700cgFU3f5ZBFTP4R0XHp7kzhgfnCHAUJ/qFUuc+b
a+GYNVxIBgCBZknPTdzS8raFW2EhlvumWD8YhKhAMES86Vqz9z3SRRRWxQ/5sb/+
CAp4jJ4Ispg1K8OyJox4G4jXgWfk5JCqy3E8CnQC+xbVvgnE6jTI7igKMhE1n8vE
Gv0w3maOGk9/byNzCW4PGf9vb1YEeu5CFaG0WPGcmKT/DWxNGc1h5q3Jo5gnVWuU
NngevmJgzKjsahgabSzxSD408u2ddVCwFR/zdgCqPgviQxdqA98=
=tck6
-----END PGP SIGNATURE-----

[Patrick Schleizer]

'b17b7bdb' via qubes-users:

> - JavaScript is ALLOWED on selected sites.
> To view these sites click on the NoScript Preferences button in the about:addons page and then select the Per-Site Permissions tab.

Whonix source code doesn't write literally googlevideo, netflix,
outlook, etc. anywhere. It does not do anything to give special
treatment to any websites.

By policy, for simplicity, clean implementation and whatnot, the
"inside" of Tor Browser isn't modified by Whonix. This is elaborated here:

https://www.whonix.org/wiki/FAQ#Does_Whonix_Change_Default_Tor_Browser_Settings.3F

Tor Browser upstream issue. Bug report written just now.

wipe all mentions of netflix, paypal, youtube, ... from noscript in Tor
Browser

https://trac.torproject.org/projects/tor/ticket/31798

See also:

https://www.helpnetsecurity.com/2015/07/01/researchers-point-out-the-holes-in-noscripts-default-whitelist/

https://thehackerblog.com/the-noscript-misnomer-why-should-i-trust-vjs-zendcdn-net/

>From noscript FAQ:

Q: What websites are in the default whitelist and

https://noscript.net/faq#qa1_5

Q: What is a trusted site?

https://noscript.net/faq#qa1_11

Whonix forum discussion:

https://forums.whonix.org/t/noscript-with-security-slider-at-safest-permits-around-30-sites/8160

Cheers,
Patrick