WEBVTT

00:00.090 --> 00:06.870
Now that we covered most features of the Tor browser, I want to spend one more lecture talking about

00:06.870 --> 00:08.400
the security settings.

00:08.400 --> 00:15.300
What do they change and how these changes affect our privacy and anonymity.

00:16.680 --> 00:22.770
We can access the security settings from the shield icon here beside the onion that we were using in

00:22.770 --> 00:23.880
the previous lecture.

00:24.180 --> 00:29.610
If this shield is empty, it means the security settings are set to the standard settings.

00:30.150 --> 00:33.840
Clicking on it again will show you the security level that you have right now.

00:33.840 --> 00:35.880
And as you can see, I'm at standard.

00:36.330 --> 00:40.320
If you want to change this, you can click on advanced security settings.

00:40.320 --> 00:41.040
And here.

00:43.330 --> 00:48.180
You can also access this from the options menu like I showed you in the previous lecture.

00:48.190 --> 00:56.890
So you just go here, you go to options and then go to privacy and scroll down to the security levels.

00:57.400 --> 01:02.560
So as you can see, we have three main very simple security levels right now.

01:02.560 --> 01:05.230
We're set to standard, which is the default.

01:05.260 --> 01:13.210
This option will make Tor browser as usable as any other browser, just a little bit slower, but it

01:13.210 --> 01:15.070
will allow you to access everything.

01:15.070 --> 01:22.390
All content is available, scripts will not be blocked, so it will make all websites very nice and

01:22.390 --> 01:23.050
usable.

01:23.050 --> 01:29.650
But it is not the most secure setting, especially if you're using Tor browser on Windows, which is

01:29.650 --> 01:32.440
not a very secure operating system by default.

01:33.690 --> 01:40.050
So cranking this up to cipher will disable JavaScript on HTTP pages.

01:40.410 --> 01:44.580
It will also disable some fonts and other HTML content.

01:44.580 --> 01:49.080
So it might make websites function slightly different than normal.

01:49.080 --> 01:55.710
They might look slightly different than normal, but it will be a little bit safer and more private.

01:56.010 --> 02:04.020
And then if you crank this up all the way to the safest until disable JavaScript on all pages, even

02:04.020 --> 02:05.670
HTTPS pages.

02:05.700 --> 02:12.360
Obviously all traffic will be forced over https because Tor comes with https everywhere.

02:12.390 --> 02:14.620
Videos will not play by default.

02:14.640 --> 02:21.780
A lot of other HTML content will be blocked to make sure that you get the highest levels of security

02:21.780 --> 02:24.270
and anonymity out of this browser.

02:25.020 --> 02:30.270
Note how changing the security level in here changes the icon on the top, right?

02:30.270 --> 02:35.580
So in the future, when you're using Tor and you're not sure what level you're in, you can simply look

02:35.580 --> 02:37.050
at the icon if it's full.

02:37.080 --> 02:38.460
That means you're in safest.

02:38.460 --> 02:40.650
If it's half full, that means you're in safer.

02:40.650 --> 02:43.440
And if it's empty, it means you're on standard.

02:43.500 --> 02:48.210
You can also just click it to see exactly what security level you're on.

02:48.960 --> 02:54.180
So now that I'm happy with my level, I'm going to keep it at the safest and we're going to close this.

02:54.870 --> 03:02.040
And I actually want to show you the results of some tests that I did for the three different security

03:02.040 --> 03:02.730
levels.

03:03.330 --> 03:10.230
So with the basic or standard security level, I use this website right here and I'm going to include

03:10.230 --> 03:12.600
its link in the resources of this lecture.

03:12.840 --> 03:20.370
Basically, this website runs a number of tests to see how much information your browser is given about

03:20.370 --> 03:20.880
you.

03:21.450 --> 03:26.820
So as you can see with the standard, the browser is blocking ads.

03:27.150 --> 03:29.970
It's not blocking invisible trackers.

03:30.360 --> 03:35.840
It block parties that honor the do not track promise.

03:35.850 --> 03:36.660
This is fine.

03:36.660 --> 03:37.470
This is good.

03:37.860 --> 03:41.910
And finally, it does not protect from fingerprinting.

03:41.910 --> 03:45.270
So it's telling us that the browser has a unique fingerprint.

03:45.870 --> 03:52.800
And at the bottom here, if you read this statistic, it's telling you that among the more than 200,000

03:52.800 --> 04:01.530
browsers that were tested on this website, our browser appears to be unique so it can be used to basically

04:01.530 --> 04:02.880
identify us.

04:03.950 --> 04:12.680
And in here it's telling us that there are at least 17.84 bits of identifying information that can be

04:12.680 --> 04:16.160
gathered by literally analyzing our browser.

04:17.610 --> 04:18.120
Now.

04:18.120 --> 04:23.430
I've also run the same test after changing my security level to medium.

04:23.970 --> 04:29.430
And if you come here, you'll see that my browser is blocking tracking ads.

04:29.460 --> 04:36.420
It also has partial protection against blocking invisible trackers, which is, again, very similar

04:36.420 --> 04:38.310
to what we had with the standard.

04:38.790 --> 04:43.890
We can also see that our browser blocks acceptable ads.

04:44.250 --> 04:47.500
It still blocks parties that honor the do not track.

04:47.520 --> 04:49.220
Like I said, this is fine.

04:49.230 --> 04:53.940
And finally, our browser still has a unique fingerprint.

04:55.640 --> 05:00.020
Now again, if we click on the show, the full details, we can get the statistics.

05:00.140 --> 05:09.260
And again, it's saying that our browser can is still unique and the browser is given 17.8 for bits

05:09.260 --> 05:11.480
of identifying information.

05:11.510 --> 05:15.650
Again, it's actually identical to what we got with the standard.

05:17.210 --> 05:17.630
Now.

05:17.630 --> 05:23.420
Finally, I cranked my security all the way to the highest, similar to what I have right now.

05:23.420 --> 05:25.670
And I ran the same test in here.

05:25.850 --> 05:28.600
And as you can see, the results are much better.

05:28.610 --> 05:31.160
So again, browser is blocking all in us.

05:31.160 --> 05:31.820
This is fine.

05:31.820 --> 05:35.180
It was happening with both standard and medium.

05:35.840 --> 05:39.650
Then it's also blocking invisible trackers.

05:40.100 --> 05:43.040
It's not accepting the do not track commitment.

05:43.040 --> 05:45.320
Like I said, this is fine, this is good.

05:45.320 --> 05:51.290
And finally, when it's saying, does your browser protect you from fingerprinting, this is yes.

05:51.290 --> 05:53.960
So this is the main thing that's different here.

05:53.960 --> 06:00.860
If you look here and it says no, and in the standard, again, it was saying no.

06:00.860 --> 06:07.850
So our browser had a unique fingerprint, whereas right now it has less unique fingerprint, if you

06:07.850 --> 06:09.260
want to think of it that way.

06:09.710 --> 06:17.060
So looking at this statistic here, it's saying that only one in 114 browsers have the same fingerprint,

06:17.060 --> 06:23.510
whereas before we had one unique fingerprint among more than 200,000 browsers.

06:24.080 --> 06:31.580
Not only that, but our browser now only gives 6.84 bits of identifying information.

06:31.580 --> 06:38.570
Whereas as shown before, here and here with the to medium and low security settings, it was given

06:38.570 --> 06:40.910
17.84.

06:41.120 --> 06:47.930
So with the high security settings, you're given much less information about your browser and about

06:47.930 --> 06:49.430
yourself in general.

06:50.580 --> 06:57.930
Now you can actually scroll down here after clicking on more information to see where exactly these

06:57.930 --> 07:00.810
bits of information are coming from.

07:01.740 --> 07:10.290
So you can see the user agent of the browser is revealing 3.74 bits of information about you.

07:10.320 --> 07:16.140
You can see the HTTP header here revealing the language used along with more information.

07:16.170 --> 07:20.310
Again, this is accounting for 1.58 bits of info.

07:20.940 --> 07:27.450
Going down, we can see the browser plugins are revealing information, the time zone, even the screen

07:27.450 --> 07:29.220
size and the colour depth.

07:29.220 --> 07:35.100
And that's why I said don't maximise the screen because if you maximise it, this will give the true

07:35.100 --> 07:39.150
size of your monitor again giving even more information.

07:39.150 --> 07:46.650
And if you keep scrolling down here, you'll see exactly where each bit of information is coming from

07:46.650 --> 07:53.700
and giving us the total of 17.48 in this example, when we had the security at medium.

07:55.110 --> 07:56.970
Now you might think, big deal.

07:56.970 --> 08:01.690
So what if my browser is given 17.8 for bits of information?

08:01.710 --> 08:03.060
What does that mean?

08:03.690 --> 08:12.120
Well, according to information theory, this information can be added together in order to identify

08:12.120 --> 08:12.750
you.

08:13.410 --> 08:17.730
In information theory, information is measured in bits.

08:17.820 --> 08:25.170
And according to this formula right here, we can calculate the amount of information, a certain fact

08:25.170 --> 08:30.240
such as your browser plug ins can reveal about your identity.

08:30.960 --> 08:38.490
Like I said, this is measured in bits and adding all these bits together can be used to identify you.

08:39.420 --> 08:47.180
So at the time of recording this lecture, the population of Earth is around 77 billion.

08:47.190 --> 08:50.760
Plug in this value into this equation right here.

08:50.760 --> 08:59.400
We can see that in order to identify a person on Earth, all we need is 32.8.

08:59.400 --> 09:03.210
So nearly 33 bits of information.

09:03.990 --> 09:10.860
So when searching for someone, we start adding the bits of information that we discover about them

09:10.860 --> 09:17.400
one by one, such as their language, their location, the browser they use, and so on.

09:17.490 --> 09:25.740
Once we get about 33 bits of information, identifying this person will become relatively easy.

09:26.820 --> 09:34.320
So going back to what we had here, you can see the browser in the medium security settings is already

09:34.320 --> 09:38.760
revealing 17.8 bits of information about you.

09:38.790 --> 09:45.990
So all that's left is only 15 bits of information, and locating you will be relatively easy.

09:46.410 --> 09:52.080
Now, granted, some of the information that we see here is incorrect, such as the screen size, because

09:52.080 --> 09:54.150
we don't have the screen in full screen.

09:54.210 --> 09:56.030
But you get the idea.

09:56.040 --> 10:02.910
The more bits that your browser is given about you, the worse, because these bits can be used to locate

10:02.910 --> 10:04.620
and identify you.

10:05.340 --> 10:13.230
So if we look at the high security, we can see we're only revealing 6.84 bits of information.

10:13.230 --> 10:17.010
And as I said before, some of this information is incorrect.

10:17.010 --> 10:19.560
So it's a pretty good start.

10:20.130 --> 10:26.460
And again, as we go through the course, we're going to talk about more advanced methods of protecting

10:26.460 --> 10:28.740
our security and anonymity.