[tor-talk] Javascript vs privacy?
Jon Tullett
jon.tullett at gmail.com
Tue Aug 6 11:37:32 UTC 2013
Hi all
I have a couple of questions related to the Freedom Hosting saga.
Disclosure: I'm a journalist and I'm writing about this, but I won't
quote anyone without prior permission.
So:
My understanding is that NoScript shipped disabled in the TBB because
that would reduce the likelihood of the browser being fingerprinted -
a conscious decision intended to strengthen privacy. However, it seems
that doing so exposed users to a Javascript exploit (and probably
predictably so: Javascript's attack surface is famous).
So I have two questions:
1) Will this incident, with Tor users being specifically targeted via
JS attacks, lead to the NoScript policy being reconsidered ie: is the
privacy consideration still considered to outweigh the security
issues? Or maybe more awareness for users, eg on the TBB landing page?
"You have Javascript on. You are likely to be pwned by a grue."
2) Is there a concern that other agencies will use similar techniques
to attack Tor users, and does (or should) that affect the answer to
the first question? For example, I could well imagine a repressive
regime setting up a fake .onion bulletin board to encourage dissident
discussion. Since TBB ships with a specific, known, point release of a
browser, that would seem to make it easier for targeted attacks. Maybe
I'm paranoid, but I'd have thought it likely that a state intelligence
agency with a cyberwar budget would be sitting on working 0-days for
pretty much any browser, so the actual version may not matter much.
I'd also be very interested to know whether there are any available
stats regarding the % of Tor users who use TBB versus Whonix versus
Tails etc, and whether that changes now, but I understand that even
high-level stats like that could carry privacy concerns.
Any input welcome!
-Jon
More information about the tor-talk
mailing list