A Flaw With the Security Level Slider in Tor Browser

Tor Browser and Mullvad Browser users should be aware of a flaw with the Security Level slider: Not all protections advertised by the browser are properly engaged until the browser is fully restarted.

This is our public service announcement to make sure you always completely restart Tor Browser after adjusting your security settings. Relying on these indicators can create a false sense of security and potentially expose users relying on this security level slider to greater risk than they expect based on Tor Browser’s UI and documentation.


Update: @TorProject emailed us the following statement in response:

The Tor Project is aware of this issue, and it is being tracked and actively
addressed. Those interested can follow the discussion and progress here:
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42572. In
addition to a restart prompt, we’re also exploring broader improvements to the
security level system, including aligning it more closely with Tor Browser’s
updated threat model[1] and possibly delegating even more of its back-end
to NoScript for additional flexibility. These improvements may be part of the
upcoming 15.0 release cycle.

[1]: https://gitlab.torproject.org/tpo/applications/wiki/-/wikis/

6 Likes

I was unable to find any documentation or open GitLab issues with Tor regarding the need to take additional steps before security settings are fully applied

some (not all) of the prefs in the slider require a restart, so it depends on the state of those prefs when you open the browser as to what you actually get in terms of security: it is a security slider. Some prefs that require a restart and some slider prefs that don’t are fingerprintable.

And not only are we adding entropy that wasn’t designed for, but we’re misleading users as to their security. We could solve this by forcing a restart but that then becomes a pain point

As shared by @any1.

There still really ought to be a warning and documentation, but there is an issue on GitLab.

2 Likes

I’d argue this issue is worst for Tails users since they’re most likely to not be restarting the browser, but are also likely to be changing the slider each start.

That issue was only recently made public, it was private beforehand.

3 Likes

Yes, but that was a month ago, not today.

If I remember correctly, I found out about it in November last year from this issue after the Mullved Browser 14 release, and I forgot about it until I read the article. I noticed that it is still not widely known, so I made a post to draw attention to it. So it was semi-public for a few months, I guess.

5 Likes

Ah cool, I hadn’t seen @any1’s post when I wrote this article last night. Kind of buried in an issue about a separate proposal. It looks like the issue you linked references #41751 as the actual issue where this problem is tracked, which appears to be private/internal.

Still, good confirmation that an internal issue does exist and they have been aware of this problem for months, so this isn’t a new problem for them to deal with. Unfortunate that they haven’t fixed it in this time :frowning:

Was the issue reported to you before my post or after?

Before, total coincidence really :sweat_smile:

This article was prepared 15 hours ago, and I’d emailed Tor to see if they were aware of the issue a few hours before that: update(blog)!: Tor Security Slider Flaw · privacyguides/privacyguides.org@559fa2b · GitHub

Has this issue been replicated on Tails yet?

That is correct, you have reached out to the Tor Project and we have provided you with responses to your questions which are still not included in the article.

4 Likes

I don’t know if it’s the exact same issue or not, but for about a month, I have been experiencing an issue where Tor Browser does not respect security level changes. For example, if I set the slider from safer to safest and then load a new page, sometimes JavaScript will still run.

I found that if I toggle the setting enough times, I will eventually get what I set the setting to. I did not test whether or not restarting the browser makes the new setting apply.

I reported a similar (but different) issue with the security slider to Tor Browser several years ago, and based on their reply it seemed like they were not aware of the issue at the time I reported it. I failed to report the issue this time :pensive_face:

1 Like

You always have to restart the browser fully when changing this setting as the article says, so if restarting the browser fixes it then it is the same problem, yes.

1 Like