[tor-talk] Risk of selectively enabling JavaScript
Mark McCarron
mark.mccarron at live.co.uk
Tue Jan 7 12:58:49 UTC 2014
Javascript, by itself, is not an issue and poses no more of a security threat than any other type of data transferred online. Coding errors in image handling, html parsing, ftp, etc., can all be used to inject code. The idea that you are gaining some security or increased anonymity by disabling javascript is outright nonsense. As TBB is a standard product, its fingerprint should be the same for everyone.
The fact that TBB disables javascript is a testimony to how bad the javascript coders of Firefox are. I think an investigation is warranted that highlights the particular developers at Mozilla who have introduced bugs into javascript handling. Then get rid of them as a security precaution. I am quite confident that we would trace this to a small number of individuals in that team. I have concerns that Mozilla has not already adopted this approach.
I think there is a solid argument for adding filters to the exit nodes that strip anything that could be used against a person and enforce default headers ,etc. This will kill any fingerprinting, injection and tracking attempts. If anyone still requires full non-modified access, they should be forced to explicitly allow that by clicking a button.
That said, all of this is a complete waste of time if Tor does not start integrating techniques to prevent traffic analysis.
Regards,
Mark McCarron
> Date: Tue, 7 Jan 2014 05:09:23 -0500
> From: mikewolf53 at gmail.com
> To: tor-talk at lists.torproject.org
> Subject: Re: [tor-talk] Risk of selectively enabling JavaScript
>
> On 1/6/2014 12:39 PM, dhanlin wrote:
> > TBB enables JavaScript by default, presumably because many websites need
> > JavaScript. NoScript can be used to selectively allow JavaScript from
> > certain domains, but doing so could make it possible to fingerprint your
> > Tor use.
> >
> > By my judgment, you are more likely to be deanonymized by a Firefox
> > JavaScript vulnerability than fingerprinting due to selective JavaScript
> > allowance, so it is more secure to use NoScript to selectively allow
> > JavaScript. I am curious whether others agree with this assessment? We
> > know that Firefox vulnerabilities have been used to deanonymize Tor
> > users, but we have never seen a fingerprinting attack used, AFAIK.
> >
> > (I am not questioning the TBB default of allowing JavaScript; that
> > probably should be the default even if it increases risk, for usability
> > reasons.)
> >
> > dhanlin
> >
>
> I agree -- while a JS vulnerability can outright deanonymize someone
> (location revealed), selectively enabling JS at worst allows
> fingerprinting with location kept private.
>
> I've not investigated how TBB handles things like 3rd-party cookies and
> remote .js files when JavaScript is disabled, but it seems like simply
> not loading/storing these things would make it next to impossible to
> actually fingerprint someone. Considering that exit nodes are rotated,
> is it possible anyone could determine it was the same browser viewing
> youtube with JS turned on and CNN with JS turned off? What would allow
> this?
> --
> tor-talk mailing list - tor-talk at lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
More information about the tor-talk
mailing list