[tor-talk] Risk of selectively enabling JavaScript

Gerardus Hendricks konfkukor at riseup.net
Tue Jan 7 17:33:32 UTC 2014


Point by point.

> Javascript, by itself, is not an issue and poses no more of a security threat than any other type of data transferred online.  Coding errors in image handling, html parsing, ftp, etc., can all be used to inject code.

Note that (potential) privilege escalation bugs are found way more in 
the Javascript component of Firefox. The Javascript engine is a 
complicated and heavily optimized beast and (Javascript-accessed) 
browser APIs have seen much more active development.

It is very reasonable to assume that more security problems are found 
there, and it might be reasonable to use a whitelist to mitigate those 
problems.

>   The idea that you are gaining some security or increased anonymity by disabling javascript is outright nonsense.  As TBB is a standard product, its fingerprint should be the same for everyone.

It's not "outright nonsense". It's supported by fact. Disabling 
Javascript will protect you against Javascript 0days in TBB (or 
non-0days deployed by the FBI against non-updated users). You may argue 
that it's not a good or realistic defense, but not that it doesn't do 
anything.

> The fact that TBB disables javascript is a [blah blah non-sequitur]

TBB doesn't disable Javascript by default. The premise of your, argument 
falls apart.

> I think there is a solid argument for adding filters to the exit nodes that strip anything that could be used against a person and enforce default headers ,etc.  This will kill any fingerprinting, injection and tracking attempts.  If anyone still requires full non-modified access, they should be forced to explicitly allow that by clicking a button.
Filtering at a exit-node level is ridiculous for multiple reasons. You 
don't want to fix these issues on a stream level, and there are no 
advantages compared with client-side filtering. NoScript is rightfully 
in the TBB.

Also, claiming that any amount of filtering will "kill any 
fingerprinting, injection and tracking attempts" is naive at best. I can 
think of dozens of attacks, starting with a malicious exit-node.
> That said, all of this is a complete waste of time if Tor does not start integrating techniques to prevent traffic analysis.
>
Location-privacy and privacy between different (pseudonymous) identities 
have different attacks. We're talking about the latter here. 
Furthermore, end-to-end traffic confirmation attacks (if that is what 
you mean with traffic analysis) are not in Tor's adversary model. Tor is 
very vulnerable to them.


More information about the tor-talk mailing list