So yesterday, I was on 11.5.7, I saw that the new update came out but my tor browser could not auto update properly. It kept saying to go to the website and download a new binary. That's ok, went to the tor site, downloaded 11.5.8 and the signature. Upon verification of the sig, the signature was incorrect. So I avoided the update and kept the 11.5.7 version.
Open the browser today, auto update tries to update to 11.5.8 and it succeeds, yay. Yet I logged onto my go to sites and realized all my settings were reverted to the defaults. Like javascript was turned on, and all the random changes I did to about:config were gone. I quickly, turned on safest mode and turned off js. I got out of the site and grabbed a new identity.
I feel like I am just being overly paranoid, but the signature not matching, and the settings turning js back on is just scary and weird. A lot of my op sec is relying on my tor settings and I feel like I just completely fucked my situation up because of it. Well like the title says should I even be concerned here about my opsec or was it just a fluke and not some weird plan to expose noobs like myself.
/u/whalez · N/A votes · 26th November, 2022 - 19:06 · Link
I recommend everyone to create a user.js file containing all of your preferred tweaks and just drop it in profile.default directory of Tor browser whenever you update. You can even create a shell script to do that automatically. That way you can be sure everything is the way you want it settings wise.
/u/whalez · N/A votes · 27th November, 2022 - 01:10 · Link
Done did a wee little guide if someone is interested in this topic: /post/2a21199e0a062593cea4
/u/radtadbad · N/A votes · 28th November, 2022 - 06:39 · Link
Thank you for this information. I am going to follow your little guide and at least get the javascript stuff handled safely. I need to go and revisit the hardening guide and try my best to remember what exactly I changed.
/u/newbieforever2018 · N/A votes · 26th November, 2022 - 07:36 · Link
You are not alone. Every single update: - Type "about:config" in your address bar. - Search for "javascript". - Set "javscript.enabled" to "false".
/u/[deleted] · N/A votes · 26th November, 2022 - 16:00 · Link
[removed]
/u/radtadbad · N/A votes · 28th November, 2022 - 06:41 · Link
Will do! Just another step in the process of trying to be safe.
/u/HugBunter · N/A votes · 26th November, 2022 - 18:00 · Link
Because instead of doing it at engine level, they use the NoScript extension so it is possible to whitelist sites and other customizations within a common user interface. NoScript does prevents JS from executing, but the reason it is recommended to do so at the engine level as in newbie's comment, is that it ensures that you don't have to trust an extension to stop JS. There was in the past exploits to bypass NoScript and I'm pretty sure even a broken update that didn't disable JS or to some extent at least.
/u/Exeter · N/A votes · 28th November, 2022 - 05:26 · Link
There was an incident a few years ago where an internal certificate used by Mozilla for Firefox add-ons expired. This implicated Tor Browser that rendered NoScript and its functionality to disable JavaScript inoperable. Search "Add-ons/Expired-Certificate-Technical-Report" on clearnet for more info (wiki.mozilla.org)
/u/newbieforever2018 · N/A votes · 28th November, 2022 - 07:19 · Link
Excellent!
/u/GOUPIL · N/A votes · 26th November, 2022 - 17:00 · Link
unfortunately we can't trust the shield icon! always look after about:config > javascript
/u/NorthOfTheNeXus · N/A votes · 26th November, 2022 - 07:11 · Link
i just did the update too and can confirm it turned java on. this has happened before about a year ago
/u/radtadbad · N/A votes · 26th November, 2022 - 07:20 · Link
Thanks for the response, it feels good to know that I am not completely losing my mind here. I will plan on making a better approach for updates in the future where I check js on a known and trusted site before venturing into the dark.
/u/deejmaheii · N/A votes · 26th November, 2022 - 07:18 · Link
u just go to setting and make the safest in the browser setting mate
/u/NorthOfTheNeXus · N/A votes · 26th November, 2022 - 07:37 · Link
that is true, but as the op said it also changed other setting
/u/genz · N/A votes · 26th November, 2022 - 07:55 · Link
Thank you for this warning! I just checked my setting and the JavaScript has turned back on! You are definitely not alone!
/u/Notchsmith · N/A votes · 26th November, 2022 - 08:48 · Link
Yeah, I also updated. First thing I did was to check in about:config if it messed with settings. This time paranoia paid out.
/u/Preview-Of-Freedom · N/A votes · 26th November, 2022 - 09:01 · Link
i noticed this all so. but i always go through a check with every up date. i noticed that in about:config that javascript enabled was set to "true" but my security slider stayed at safest which is supposed to disable java script. when i noticed this i went to test it by checking a web app that tells you if you have java script enabled. when i did this it told me that i did not have java script enable even tho about:config told me that it was enabled and my security slider was on safest saying that it was dis abled. i can not explain this but it was strange. after i confirmed that java script was dis abled i went ahead and changed the about:config value to false. i then went through all of the hardening steps again to make sure that the configurations were optimal. stay safe out there and always share information like this it is what makes this community the best community out here ;-) best wishes PoF
/u/BigDaddy2K · N/A votes · 26th November, 2022 - 19:02 · Link
important alert