Reading documents like https://tb-manual.torproject.org/ answers a lot of questions for newer TBB users. Also, just as Firefox changes constantly, TBB has ongoing changes.
On 2/8/20 3:53 PM, mimb...@danwin1210.me wrote:
My impression is that the "Security Level" (standard, safer, safest) has somewhat replaced NoScript.
I don't think that's true. If you read the differences in the TBB safety levels, it's fairly specific. As for safety levels replacing NS, there may be *some* overlap. Forgetting JS for a moment, there are many things NS does that don't involve JS, that are worth using, even if JS is turned on in NS by default.
NoScript is still an add-on but the icon does not appear as standard at the top of the browser as used to be the case. Also, the preset customization for "default" sites is to allow everything (except ping).
Where does the NS icon appear for you? The icon itself looks much the same as in the 1st quantum version. It used to be placed to the left of URL bar - maybe still is, in a fresh install. I always move it to the right of the search bar.
In terms of TBB's "Preferences / Privacy and Security" section, many sites will not work unless the "standard" setting is chosen. Are there any serious security ramifications of "standard" that can undermine the TBB and thus acquire the user's real IP?
The Safe, Safer or Safest levels have nothing to do with exit nodes used by TBB. The addresses of the exit nodes determine the IPa that sites see, not java scripts. Choose a different exit node, get a new IPa (from Tor network exits). Under "Learn More" or Advanced Security Settings, under Security Levels, the Safer level says, "Disables website features that are often dangerous, causing some sites to lose functionality." "JavaScript is disabled on non-HTTPS sites.Some fonts and math symbols are disabled.Audio and video (HTML5 media), and WebGL are click-to-play." It doesn't say if that's every feature it disables. True, many sites won't work completely unless at least (some or all, depending) of the scripts for the 1st level domain are allowed. For certain content on a given site, some 3rd party scripts must be enabled. It depends on what content you want to see & its format, its source - from 1st or 3rd party, etc. For instance, if you're reading plain text or HTML, JS is generally not needed.
I assume not or what would be the point of the TBB? I imagine that browser components that might be dangerous in a normal Firefox won't necessarily be operational in a hardened TBB. Hence, "standard" (which includes JS, WebGL, etc) is not a problem.
For one very big thing, TBB (and Tor and how the Tor network functions), unhardened Firefox gives out much more info than TBB - even if TBB is on Safe level. It hides your true IP address, if users don't install certain addons that sometimes may leak your true IPa. It spoofs a lot of info given out in normal browswers, so the spoofed data is the same for all TBB users. Other data shown by browsers, TBB may not give out at all.
Could someone e.g. Roger please clarify this fact. It does feel a bit odd using sites with JS, etc, freely working whereas in my non-TBB Firefox, I have to constantly allow NoScript to "temporarily trust" most sites. Thank you.
-- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
