[tor-bugs] #10774 [Torbutton]: NoScript/Javascript Enabled by Default for past several versions of TorBrowser
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Jan 30 07:53:36 UTC 2014
#10774: NoScript/Javascript Enabled by Default for past several versions of
TorBrowser
-----------------------+-------------------------------
Reporter: gilidula | Owner:
Type: defect | Status: new
Priority: normal | Milestone:
Component: Torbutton | Version: Tor: 0.2.4.19
Keywords: | Actual Points:
Parent ID: | Points:
-----------------------+-------------------------------
Software: TorBrowser 3.5.1
The TorBrowser is enabling Javascript by default.
Javascript has PROVED to be the main attack vector from the variety of
government attackers we have seen in the past year. Almost all attacks
were to create a maliscious javascript on a compromised hidden service or
website, in order to reveal the real IP address of the client. These
attacks have been mostly successful, according to news reports.
https://www.torproject.org/projects/torbrowser/design/#DesignRequirements
Security Requirements
"The security requirements are primarily concerned with ensuring the safe
use of Tor. Violations in these properties typically result in serious
risk for the user in terms of immediate deanonymization and/or
observability. With respect to browser support, security requirements are
the minimum properties in order for Tor to support the use of a particular
browser. "
We have recently had several real-world attacks on tor users using
javascript, amoung them "Freedom Hosting." The attack vectors are very
large. In that case, users running the latest version of the browser, or
users with javascript disabled, were protected. Users that didn't upgrade
in time had their IP Address revealed.
Recent disclosures have revealed that entities are able to insert code
into network streams at any point, anywhere in the world, and redirect
users to fake sites with malicious code. Of course exit nodes can do this
as well, or hidden services.
At this point, the number one issue with Tor Anonymity, as demonstrated in
these real-world scenarios, as verified and stated by the Tor project
leader, and in the disclosures, is BROWSER COMPROMISE. That IS the cause
of deanoymization. #1!
Since the main point of the Tor Browser above all else is to not reveal
the IP Address of the user, in this "new threat model," it will be a
requirement to reduce the attack space in the default settings.
Users have called and cried anc cried to no avail to the Tor project to
disable Javascript for YEARS. And they have been proven correct, and
still, in this latest version, Javascript is enabled globally by default.
This forces other distributors like TAILS to likewise enable it for
fingerprinting reasons. Yet the reality is, a large number of tor users
already have it disabled.
If there is a usability issue with NoScript, then that must be solved as
the root problem here, but by default users should get an "as safe as
possible" experience.
In terms of fingerprintability, Tor Browser is already not trying to mask
that the user is using Tor when visiting a site--all plugins disabled, tor
browser user agent, obfuscated API calls, not to mention coming from a Tor
exit node. There fore, fingerprintability is a feature that should apply
not to the pool of WWW users, but to the pool of Tor WWW users.
Therefore, there is no arguement to enable or disable javascript from a
fingerprint perspective, as all tor browsers can have it enabled, or
disabled, by default. Disabling javascript could only help reduce
fingerprintability across Tor users.
Given the attack space, having Javascript enabled by default creates a
false sense of security for the users, and hence is a defect.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10774>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list