Closed ghost closed 5 years ago
Related issue: #316
Did you notice/try d0b78593632b51f4019544cf11fabf3f95d81ce0?
Need to review your list.
Did you notice/try d0b7859?
No.
Need to review your list.
Great. Looking forward to it.
I understand there are many similar projects (user.js settings) but it is really difficult to keep track of all of them. For the moment yours is the only one I have had a look at. It is good there is an open bug to discuss all that at Tor but as far as I see it is not really getting a lot of attention.
It seems to me important to distinguish between the "regular" browsers and TBB because with regular browsers we have an additional goal - not to share the IP address with 3rd parties. With TBB however there is an additional goal: not to create an easy fingerprint. When testing certain settings in TBB I noticed that the Panopticlick bits raise when supposedly privacy tightening settings are applied (e.g. disabling cookies).
Ideally we should come up with a unified user.js
which ensures maximum security (including privacy). Unfortunately I am still unfamiliar with most of these variables, so I count on you to provide extra info after you review them.
@anchev you compared the default settings in Tor. They have some weak spots, like javascript enabled!
I have compared the default settings of Tor but with "Security Level" slider set to Safest. I don't know if and how that affects any about:config settings but I think it deserves a more meticulous look because Tor gives a Panopticlick result of 6.57 bits while FF with this user.js
gives about 9.71 bits. Tor also has safebrowsing features disabled.
I have compared... with "Security Level" slider set to Safest.
Good choice. Some settings are changed in an hardened way.
I tested various things today (including setting some values to what they are in Tor) and then running https://panopticlick.eff.org/
Something strange I notice: user_pref("privacy.donottrackheader.enabled", true);
increases bits of identifying info when testing in Tor. The same setting however decreases the bits when testing in FF 58.
Any idea why that may be?
Except this particular setting, testing in Tor the other ones shared in https://github.com/pyllyukko/user.js/issues/365#issuecomment-361105455 don't increase the entropy bits in Tor. So perhaps we can assume they actually add security and privacy?
Strangely I can't get FF 58 lower than 9.7 bits with the same user.js
(and with user_pref("privacy.donottrackheader.enabled", true);
.
Additionally I wonder if it is possible to reduce further the 6.57 bits of Tor...
What do you think about all these?
Any idea why that may be?
A dead horse, DNT is greatly ignored and simply makes your browser stand out in the crowd.
What do you think about all these?
I have highest bits of identifying information on these Browser Characteristics:
Hash of canvas fingerprint
Screen Size and Color Depth [*]
Browser Plugin Details
System Fonts [*]
User Agent
Of these, some can be spoofed (UA String) or modified, while others are Hardware/OS related [*]
Moreover, with less FF users the uniqueness is increasing.
So how did you do the comparison? Because I think there is no point in comparing settings in TBB, that are the same defaults as in Firefox, but only compare the settings they have explicitly set.
I understand there are many similar projects (user.js settings) but it is really difficult to keep track of all of them. For the moment yours is the only one I have had a look at. It is good there is an open bug to discuss all that at Tor but as far as I see it is not really getting a lot of attention.
True.
Ideally we should come up with a unified user.js which ensures maximum security (including privacy). Unfortunately I am still unfamiliar with most of these variables, so I count on you to provide extra info after you review them.
I'm afraid we'll never get there. I mean having some kind of consensus on the settings between different projects.
A dead horse, DNT is greatly ignored and simply makes your browser stand out in the crowd.
I know that. But the fact is that Panopticlick result is affected by that setting. So although it is ignored and cannot be trusted as a security measure, it may at least matter as a dimension about privacy.
I have highest bits of identifying information on these Browser Characteristics:
Are you testing with the same settings which I described?
So how did you do the comparison?
Compared before/after the custom user.js
with the Tor profile. When changing some settings, I deleted prefs.js
and then repeat.
Because I think there is no point in comparing settings in TBB, that are the same defaults as in Firefox, but only compare the settings they have explicitly set.
A friend used to say: "With computers we must be explicit" :) I tend to agree because we (or at least I) don't know which TBB and FF settings are at their default values, if those default values are exactly the same (or TBB modifies them somehow). Additionally I notice that even with "factory" settings TBB has different (still displayed as default) settings and others which show as modified (although I haven't touched anything). So the point of comparing is to check how settings affect privacy/security in the different browsers and suggest better defaults.
I'm afraid we'll never get there. I mean having some kind of consensus on the settings between different projects.
That's not even the purpose. I am rather hoping to sort out the best bundle of settings. For the moment it is going well.
Are you testing with the same settings which I described?
Settings are close to the ones I previously linked here.
Then obviously you are not testing with what I test, so the result will be different. What is the final Panopticlick result you get with your settings in FF and TBB?
Not good, due to the hardware and OS. Fonts can be spoofed at system level: https://github.com/da2x/fluxfonts
What has hardware and OS to do with that? AFAIK fonts can be detected only through JS or flash. In my settings JS is disabled and I don't have flash installed. If you are testing with JS or some plugins that wouldn't be a meaningful test in the first place. Right?
Yes, these test pages have this flaw: sometimes you have to open up your defences for the tests to actually work.
hardware and OS
Screen size and system fonts (different from OS to OS, different if office suites installed or not): https://github.com/pyllyukko/user.js/issues/367#issuecomment-361288816
I had a look at @anchev Differences list (on top) and then I left only the entries with //TOR
comment: https://gist.github.com/Atavic/f3b4bd9e207c2b0fac91937fef0df594
It's 174 differences and I am not amused at what I see regrading Tor preferences.
What are you talking about? I haven't opened up any defenses. The Panopticlick works without JS and I don't know how it may be possible to detect your desktop resolution if JS is disabled. I am getting confused by your words.
It's 174 differences and I am not amused at what I see regrading Tor preferences.
It seems Tor is not that tightened, right?
Panopticlick works without JS
My fault, I haven't done that test for some months, sorry!
TBB isn't tightened at all. :+1: for your efforts!
Let's tighten it then! :)
Did you notice/try d0b7859?
No.
It was a Makefile target I made for pretty much this purpose.
Because I think there is no point in comparing settings in TBB, that are the same defaults as in Firefox, but only compare the settings they have explicitly set.
A friend used to say: "With computers we must be explicit" :) I tend to agree because we (or at least I) don't know which TBB and FF settings are at their default values, if those default values are exactly the same (or TBB modifies them somehow). Additionally I notice that even with "factory" settings TBB has different (still displayed as default) settings and others which show as modified (although I haven't touched anything). So the point of comparing is to check how settings affect privacy/security in the different browsers and suggest better defaults.
The Tor tweaks come from 000-tor-browser.js
(which you can download by running make 000-tor-browser.js
).
I made a few additional targets:
000-tor-browser.js
, but not in our user.js
E.g.:
$ make tbb-diff-2
for setting in $( comm -12 <(sed -n '/^\(user_\)\?pref/s/^.*pref("\([^"]\+\)",\s*\([^)]\+\).*$/\1/p' user.js | sort) <(sed -n '/^\(user_\)\?pref/s/^.*pref("\([^"]\+\)",\s*\([^)]\+\).*$/\1/p' 000-tor-browser.js | sort)); do diff <(grep "^\(user_\)\?pref(\"${setting}\"" user.js | sed -n '/^\(user_\)\?pref/s/^.*pref("\([^"]\+\)",\s*\([^)]\+\).*$/\1 = \2/p' | sort) <(grep "^\(user_\)\?pref(\"${setting}\"" 000-tor-browser.js | sed -n '/^\(user_\)\?pref/s/^.*pref("\([^"]\+\)",\s*\([^)]\+\).*$/\1 = \2/p' | sort); done
1c1
< browser.download.manager.retention = 0
---
> browser.download.manager.retention = 1
1c1
< browser.newtabpage.directory.ping = ""
---
> browser.newtabpage.directory.ping = "data:text/plain,"
1c1
< browser.newtabpage.directory.source = "data:text/plain,{}"
---
> browser.newtabpage.directory.source = "data:text/plain,"
1c1
< browser.safebrowsing.blockedURIs.enabled = true
---
> browser.safebrowsing.blockedURIs.enabled = false
1c1
< browser.safebrowsing.enabled = true
---
> browser.safebrowsing.enabled = false
1c1
< browser.safebrowsing.malware.enabled = true
---
> browser.safebrowsing.malware.enabled = false
1c1
< browser.safebrowsing.phishing.enabled = true
---
> browser.safebrowsing.phishing.enabled = false
1c1
< dom.maxHardwareConcurrency = 2
---
> dom.maxHardwareConcurrency = 1
1c1
< geo.wifi.uri = "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%"
---
> geo.wifi.uri = ""
1c1
< plugin.state.flash = 0
---
> plugin.state.flash = 1
1c1
< privacy.trackingprotection.pbmode.enabled = true
---
> privacy.trackingprotection.pbmode.enabled = false
1c1
< security.pki.sha1_enforcement_level = 1
---
> security.pki.sha1_enforcement_level = 2
1c1
< security.tls.version.max = 4
---
> security.tls.version.max = 3
1c1
< services.blocklist.update_enabled = true
---
> services.blocklist.update_enabled = false
This way we don't need to comb through all the settings that come from Firefox defaults.
I am not an expert in make
so it is a little unclear to me what you have done.
Can you explain?
I am not an expert in make so it is a little unclear to me what you have done. Can you explain?
Well in this case, it's just a method of calling an infernal shell one-liner that performs the diffing. You can see it running the one-liner in the second line of the example.
The make 000-tor-browser.js
will create the 000-tor-browser.js
file by downloading it from the Tor project.
Did this answer your question?
Yes but what is 000-tor-browser.js
? IOW: how is one supposed to use it?
And another question: how can I get in a text file everything which I see in about:config in Tor (and in Firefox)? Perhaps if that is possible (say as a CSV) we could compare and experiment further. What do you think?
make 000-tor-browser.js
is a bash command.
This bash script wgets this and then diffs with your own file via sed and regex.
BTW the gitweb.torproject.org link is a 404 Not Found for me, I see this other one but I don't know if it's the same.
Thanks. 404 here too. What about the other question?
I have to make some space before installing anything, but then I'll get those default preferences. Meanwhile I looked at Orfox and, scattered around many files, there are preferences that allow some google URLs. Tor prefs can be definitely modified for good.
Do you think it would a good idea to create a matrix/table/CSV of settings? I imagine it may have the following columns:
Then hopefully we can come up with the best bundle of tested settings and when new browser versions are released we can simply review what's new and add/update the relevant cells. Perhaps some script may generate a user.js
from the CSV.
The challenges I see with this:
user.js
projects may have different ones, still containing valuable info)What do you think?
BTW this may be worth looking at: https://trac.torproject.org/projects/tor/ticket/21200
I think you should start your own repo with:
Preference Name Value in your own repo Value in Tor
I'll gladly criticise/contribute, then.
Diffs between this user.js and the ghacks one has been done before, devs are happily going in parallel on their own paths.
This is new for me but I think I created a repo
Could you please check my profile and suggest how to proceed?
:+1: There's "Manage topics" below the description, you can populate some keywords.
I will add proper description. But what I am more interested right now is the proper format for the matrix and how to get all preferences and values from the different sources in it.
I haven't used git, only svn, so it is really new to me.
@Atavic A dead horse, DNT is greatly ignored and simply makes your browser stand out in the crowd.
More and more sites are actually preventing injecting tracking scripts like GA when it is enabled π
Ofcourse using new technologies will always make the ones using them first stand-out from the crowd, but this is not persee a bad thing.
Otherwise using settings from user.js
could also be labeled as making you stand-out from the crowd π
Yes but what is 000-tor-browser.js? IOW: how is one supposed to use it?
It's Tor projects "version of user.js". Their customizations that is.
This bash script wgets this and then diffs with your own file via sed and regex.
Do you think it would a good idea to create a matrix/table/CSV of settings? I imagine it may have the following columns:
https://github.com/pyllyukko/user.js/issues/256#issuecomment-299633764 -> https://jm42.github.io/compare-user.js/
@pyllyukko Thank you! Just to clarify: does the first link contain all possible variables or just the ones which Tor customizes? Also how can I get a full list for FF, IceCat (possibly other FF forks too)?
@pyllyukko Thank you! Just to clarify: does the first link contain all possible variables or just the ones which Tor customizes? Also how can I get a full list for FF, IceCat (possibly other FF forks too)?
Only the ones they customize. For list for FF (if I understood correctly), you can run make sourceprefs.js
, that @nodiscc implemented. It doesn't cover all Firefox settings, but still plenty of.
It doesn't cover all Firefox settings
Because it is not possible or for some other reason?
I am not looking just to diff things but also to learn what each about:config
setting does. Unfortunately the documentation doesn't seem to cover all of them:
http://kb.mozillazine.org/About:config_entries
Where do you (and other similar projects) get info about the undocumented variables and the extra info about the documented ones?
Because it is not possible or for some other reason?
Because some are prefs about fonts that depend on the OS. Other prefs appear after you install addons/webextensions. These prefs aren't unified for everyone.
Where do you get info?
Thanks.
Hm, that makes it more and more difficult. Having to dig through tons of info and spending many hours just to get some privacy. I appreciate the hard work you have done so far. I am questioning if I will be able to add anything meaningful in another repo.
A new repo will raise consciousness, Just do itβ’
What do you mean by "raise consciousness"?
Hm, that makes it more and more difficult.
We are into a community here.
Having to dig through tons of info and spending many hours just to get some privacy.
We are on the same boat, so to speak.
What do you mean by raise consciousness?
Users may find the repo discussing tor preferences aqnd become aware.
True but becoming an expert in patching deliberately created holes on the boat just because Mozilla "respects user privacy" is not very efficient. We can keep doing this forever, they can play their tricks on us in next versions etc. Life is short, we need something better.
Yes, I don't update so often for those reasons you said above.
Where do you get info?
https://trac.torproject.org/projects/tor/query?status=!closed&component=Applications%2FTor+Browser
Because it is not possible or for some other reason?
Because they are scattered all over the place.
I am not looking just to diff things but also to learn what each about:config setting does. Unfortunately the documentation doesn't seem to cover all of them:
Yes, plenty of settings are completely undocumented.
Where do you (and other similar projects) get info about the undocumented variables and the extra info about the documented ones?
As @Atavic said:
Bugzilla.org Mercurial
Sometimes it's quite a detective work. If all else fails, we try to interpret FF's source code and see what the settings actually do.
I wonder how come nobody has created a really secure and private FOSS browser, without using a previous code base which is so full of issues and without putting the user in a situation of a detective. If even Tor needs hardening, that is a real shame.
@anchev thats because the web technologies grow so fast with new posibilities that are actually wanted by users. The secure and private part is a work that can only be properly done after the internet eco-system uses the features, Because humans always try to find ways to circumvent original intentions for evil, it's just a race between "bad-guys" and "protectors" of the internet's eco-system.
The secure and private part is a work that can only be properly done after the internet eco-system uses the features
Security through patching systems which are designed in an insecure way is not efficient. If new functions are needed, that means new design is necessary. Otherwise if one tries to fly with a bike the result is obviously dangerous.
Let me ask you something then: Do you know what will happen tomorror in the whole world? If your answer is "Yes" then we are done talking, if it is "No" then you should accept the fact that no software can be made 100% secure and save because of what i told you...
print("Hello world")
is 100% secure :)
not when it is followed by > /etc/passwd
π
I have gone through each and every line of the current version (commit: 456a2b7063bbb21197769217e7ddabe31fe808d6) and I have compared the variables with those in Tor browser (the default settings in Tor which show up after downloading a clean browser).
I have added a comment at the end of each line
//TOR: <value in tor> (or 'missing' if it is missing in Tor)
. For variables which have the same values in Tor browser I have not added comments.Can someone please review all this? If any values are considered more private/secure we could probably notify the Tor developers. Otherwise they may change in this
user.js
. (I assume there may be values which are simply a preference but still worth a second look).