Skip to content
Snippets Groups Projects

Solve security slider (maybe remove safer)

  • View options
    • Open Issue created by ruihildt

    fyi for readers: thorin is the author

    • an empty confidential issue created by rui so he could access it
    • description filled in by thorin

    reduce (or remove security levels)

    • at the very least I think we could get rid of safer

    Some thoughts

    1. It creates extra buckets of users
    2. see #41751 where some safer settings are only applied at startup (AFAICT) and thus create unintended entropy if a user changes the level between safer vs standard mid session
    3. same issue: we don't require a restart but the three javascript ones do, so we need to engineer that
    4. some items are probably no longer the threat they once were, but we need to check
      • e.g. RDD, RLBox. maturity etc
      • such as svg, mathml
    5. some items we could maybe set the stricter mode at "standard" such as HoM
    6. there are only 10 items in safer and given some are weak to include, and others are less of a threat than many years ago, I do not think this level even deserves to exist as a threat model
    7. If NoScript could handle a no JS level, then we could get rid of this concept entirely
    8. this would fix/close issues such as the one with users wanting security settings per site
    9. reduce maintenance and footguns

    class, discuss!!

    levels https://gitlab.torproject.org/tpo/applications/tor-browser/-/blob/tor-browser-128.9.0esr-14.5-1/toolkit/components/securitylevel/SecurityLevel.sys.mjs?ref_type=heads#L250-269

    // __kSecuritySettings__.
// A table of all prefs bound to the security slider, and the value
// for each security setting. Note that 2-m and 3-m are identical,
// corresponding to the old 2-medium-high setting. We also separately
// bind NoScript settings to the browser.security_level.security_slider
// (see noscript-control.js).
/* eslint-disable */
// prettier-ignore
const kSecuritySettings = {
  // Preference name:                        [0, 1-high 2-m    3-m    4-low]
  "javascript.options.ion":                  [,  false, false, false, true ],
  "javascript.options.baselinejit":          [,  false, false, false, true ],
  "javascript.options.native_regexp":        [,  false, false, false, true ],
  "mathml.disabled":                         [,  true,  true,  true,  false],
  "gfx.font_rendering.graphite.enabled":     [,  false, false, false, true ],
  "gfx.font_rendering.opentype_svg.enabled": [,  false, false, false, true ],
  "svg.disabled":                            [,  true,  false, false, false],
  "javascript.options.asmjs":                [,  false, false, false, true ],
  "javascript.options.wasm":                 [,  false, false, false, true ],
};
    Edited by Thorin

    Child items
    0

    • No child items are currently assigned. Use child items to break down work into smaller parts.

    Linked items 18

    • Related to

    Activity

    • All activity
    • Comments only
    • History only
    • Newest first
    • Oldest first
    • Thorin changed title from Confidential issue for Thorin to reduce or remove security levels
    • Thorin changed the description
    • Thorin changed title from reduce or remove security levels to solve security levels
    • Thorin changed the description
    • Thorin added Meta label
    • Thorin marked this issue as related to #42119 (closed)
    • Thorin marked this issue as related to #42149 (closed)
    • Thorin marked this issue as related to #30570
    • Thorin marked this issue as related to #40087
    • Thorin marked this issue as related to #42498
    • Thorin marked this issue as related to #41494
    • Thorin marked this issue as related to #41469
    • Thorin marked this issue as related to #42317 (closed)
    • Thorin marked this issue as related to #41170 (closed)
    • Thorin marked this issue as related to #27607
    • Thorin marked this issue as related to #40973
    • Thorin marked this issue as related to #33000 (closed)
    • morgan added All Platforms label
    • morgan added Roadmap::Future label
    • ruihildt mentioned in issue mullvad-browser#329 (closed)
    • Thorin marked this issue as related to mullvad-browser#329 (closed)
    • donuts marked this issue as related to #42822
    • donuts mentioned in issue #42822
    • Thorin marked this issue as related to #43213 (closed)
    • Thorin marked this issue as related to #43385
    • morgan changed title from solve security levels to Maybe remove 'Safer' Security Level
    • Thorin marked this issue as related to #43516
    • morgan added Apps::Type::Investigation label and removed Apps::Type::Meta label
    • Thorin marked this issue as related to #20314
    • Thorin changed title from Maybe remove 'Safer' Security Level to solve security slider (maybe remove safer)
    • Thorin added Apps::Type::Meta label
    • Thorin removed Apps::Type::Investigation label
    • Thorin made the issue visible to everyone
      • donuts
        donuts @donuts
        Owner

        This feels like more of a technical discussion than a UX one, but I'm curious how our users are distributed between the three security levels. For example I suspect that "Safer" may be underutilized, with most users either remaining on the default security level or boosting all the way up to "Safest" – however this is just a hunch, and I have no evidence for or against this theory.

      • Thorin
        Thorin @thorin
        Developer

        some (not all) of the prefs in the slider require a restart, so it depends on the state of those prefs when you open the browser as to what you actually get in terms of security: it is a security slider. Some prefs that require a restart and some slider prefs that don't are fingerprintable. This causes two issues

        the first is we have extra fingerprinting

        • I open TB in standard I have fingerprint A (all slider changes are in effect)
        • I open TB in safest safer I have fingerprint B (all slider changes are in effect)
        • I open TB in standard then switch to safer I have fingerprint C (not all slider changes are in effect)
        • I open TB in safest safer then switch to standard I have fingerprint D (not all slider changes are in effect)

        And not only are we adding entropy that was wasn't designed for, but we're misleading users as to their security. We could solve this by forcing a restart but that then becomes a pain point

        To add to the misery, users want per site settings but these are global settings/prefs. And when you change the slider it changes for all open tabs (well, the prefs that don't require a restart that is).

        Then you have users who want different slider configs and go into about:config and change prefs. This is supposed to add a badge to the slider icon to warn them but this is broken. The main config seems to be allowing svg in safest, but I've also seen requests/questions for other configs

        And over time the slider changes have become less. And some more can probably be dropped

        IMO if your require some safer options (such as disabled JIT/ion) then you probably need safest (no javascript) - and honestly, I'd rather this was the only choice for users rather than have use compromised safer settings and be misled.

        All this is to say, the slider has so many issues that we should seriously consider removing the entire thing - and have two modes - no JS (via NoScript which can also block svg and fonts and mathml) and default. No slider anywhere. This then allows for per site settings, removes all ambiguity, stops users effecting change from about:config, doesn't require a restart, and no longer misleads anyone or puts their security at risk

        If you want any more reasons, I have some cowbell

        Once again, security is on the line .... class discuss! or do we wait for duncan's law to strike

        Edited by Thorin
      • donuts
        donuts @donuts
        Owner

        Thanks @thorin,

        Then you have users who want different slider configs and go into about:config and change prefs. This is supposed to add a badge to the slider icon to warn them but this is broken.

        Is there an issue open for this bug, do you know?

      • Thorin
        Thorin @thorin
        Developer

        it's a meta ... looking at the 19 linked items up above ... #43213 (closed) mentions it .. also why is @pierov not participating

      • Thorin
        Thorin @thorin
        Developer

        me

        stops users effecting change from about:config

        well, actually they still can but it wouldn't affect the NoJS level, because NoScript is doing the blocking, so enabling svg via prefs won't work. Also, time to make about:config scary as per the issue wherever that is before another year passes

      • Pier Angelo Vendrame
        Pier Angelo Vendrame @pierov
        Maintainer

        Then you have users who want different slider configs and go into about:config and change prefs. This is supposed to add a badge to the slider icon to warn them but this is broken.

        Is there an issue open for this bug, do you know?

        It does work for me, I tried with javascript.options.ion.

        svg.disabled is a problematic one.

        also why is @pierov not participating

        This is outside my domain.

        I guess @ma1 would probably be a better fit to re-evaluate all of this.

      • Please register or sign in to reply
    • morgan mentioned in issue #41170 (closed)
    • morgan added Apps::Impact::High label
    • Thorin changed the description
    • Thorin changed the description
    • ma1 changed title from solve security slider (maybe remove safer) to Solve security slider (maybe remove safer)