Interestingly, Mullvad now says that:
Changing the security level modifies the browser fingerprint, and is not recommended
I wonder if that’s the case with Tor Browser as well.
1 Like
That’s strange. My understanding was that they were okay with the three security levels representing three pools of users. If this is going to be the case then I think it would be sensible to make ‘safer’ the new default.
It should’ve been the default since day 1
5 Likes
i had set the security level to “safer” before the update.
After the update the security level icon gets removed from the tab. Though its still present in the settings.
Also the fingerprint on creepjs after this update has changed. Though i didn’t expect it to.
Strange because I’m always changing my security settings lol. Click-to-play on safer breaks a lot of things.
can we add exceptions for a specific website to ‘Standard’ security level?
3 Likes
lack of remote fonts makes websites look like trash. I still think the default should have remote fonts enabled, although I agree with disabling JIT by default
So what is the now “correct” setting? Standard? I’m not aware what the default value is.
Yep, Standard is the default. However, as we have said above, some of us feel ‘Safer’ would be a more sane default. We have been using it [‘Safer’]
under the guise that it didn’t really matter for fingerprinting purposes.
2 Likes
Standard is default, and you can only modify it from the settings panel.
1 Like
Their answer:
“Security and privacy are not equivalent. While not running javascript will make you more secure, by virtue of not running random code from a webpage, it will make you stand out as a user NOT using javascript amongst the majority of user using javascript.”
1 Like
That doesn’t really answer the question at all. The question was that since TB has a higher threat model than MB, how come MB is more concerned with fingerprinting than TB is?
Their recommendation of not changing the security level from Standard isn’t a good recommendation imo and removing the security levels from the toolbar discourages users of MB from using other security levels.
Why not entirely remove security levels in MB at that point? At least this way all users will have the same configuration and aren’t risking standing out by changing to a lesser-used security level.
5 Likes
This is almost certainly the longterm goal.
1 Like
Thorin of Arkenfox & Tor Project has asked me to relay the following message:
“security levels” have always altered the fingerprint, it literally turns features on and off. It was added as a necessary setting for security / specific threat model(s)
TB/MB have always been default standard (AFAICT), as the browser needs to be as usable/compat-friendly as possible, because having regular users and growing the crowd is important
I wasn’t part of the threat modeling when this was designed, but these days a lot of the original threats are now lesser or indeed gone (i.e some safer changes have been removed)
TB/MB will be reassessing this when we get to it, along with some other issues about “safer” which I can’t get into
In terms of threat modelling (and I am just expressing my own opinion here), MB users shouldn’t even need “safer”, it’s just a buzzy word for script kiddies to say “oh look ma, no-jit baby”. Personally I think safer needs to die (and you don’t know what I know). If you’re really worried about JIT for example, then why do you even have JS enabled, use Safest.
5 Likes
Bruh.
Sounds like throwing out a baby with the bath.
1 Like
The key is how much % of TB/MB users each mode. As long as the crowd is big enough, then that would be fine. But MB is an outlier has it probably has WAY less user, so splitting them in 3 make a really big difference.
1 Like
That last paragraph does sound like Thorin lol.
In any case, I was aware they would alter the fingerprint. Its just that ive always thought that Tor Browser assumes a higher threatmodel then Mullvad browser, which is why it was interesting for me to see that Mullvad, seemingly oriented for “normal people” for “normal” browsing, would take this step before TB would.
1 Like
I think a lot of people are missing we’re not removing the ability of changing the security level, we have removed the security level button on the toolbar.
The very big majority of users won’t need to change the security levels, and the ones who need to change it will find it in the settings. (the button can be manually re-added)
Personally (= my personal point of view ), it would be better to focus on threat model when talking and presenting browser settings (security level included).
Mullvad Browser threat model can be defined as “fighting against mass surveillance, tracking and big data”. And hopefully we’ll be more and more aligned with it in terms of user experience.
That doesn’t mean you won’t be able to have a stricter threat model than the default on Mullvad Browser.
3 Likes