[tor-talk] Risk of selectively enabling JavaScript

dhanlin MlgAcRBC at yandex.com
Mon Jan 6 17:39:21 UTC 2014


TBB enables JavaScript by default, presumably because many websites need
JavaScript.  NoScript can be used to selectively allow JavaScript from
certain domains, but doing so could make it possible to fingerprint your
Tor use.

By my judgment, you are more likely to be deanonymized by a Firefox
JavaScript vulnerability than fingerprinting due to selective JavaScript
allowance, so it is more secure to use NoScript to selectively allow
JavaScript.  I am curious whether others agree with this assessment?  We
know that Firefox vulnerabilities have been used to deanonymize Tor
users, but we have never seen a fingerprinting attack used, AFAIK.

(I am not questioning the TBB default of allowing JavaScript; that
probably should be the default even if it increases risk, for usability
reasons.)

dhanlin


More information about the tor-talk mailing list