[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Mail service requires "java script enabled"



On 01/15/2013 12:14 AM, Joe Btfsplk wrote:
> Never say never - but I don't know that the real risk of js is leaking
> identity so much as someone running malicious code on sites you don't
> know or shouldn't trust.

There isn't much risk of identity leaking by enabling javascript in your
browser. The most javascript should be able to do is fingerprint your
browser profile to detect plugins, fonts, etc. By using the Tor Browser
Bundle rather than just a normal web browser proxied through Tor, most
(with the goal of all) of these fingerprinting attempts are mitigated.

So I think it's perfectly fine to enable javascript for Yahoo mail. If
you're going to be using Yahoo mail, make sure you turn on SSL:
https://www.eff.org/deeplinks/2013/01/yahoo-mail-makes-https-available

There are definitely security concerns though, the biggest being using
javascript on a website that someone else has discovered an XSS bug on.
And browser zero days are much more likely to be exploited through the
use of javascript, etc.

That said, these days there are serious usability advantages that
javascript provides, especially for sites like Google Maps. If done
correctly, it can be used to *increase* security in some cases (such as
the payment processor Stripe's use of ajax), and it can be used to make
content load faster and use less bandwidth, such as Twitter letting you
load only recent tweets without refreshing the entire page. And many web
developers build javascript functionality and don't bother to make it
work for NosScripters, which is annoying, but sometimes the
functionality they're going for is impossible without javascript.

Javascript is kind of the future of the web, and it's only going to be
more prevalent as time goes on. And unlike in the 90s, it's genuinely
useful now, not just for adding bling to your site. Rather than be down
on javascript, I think it's more production to figure out ways to make
javascript more secure, like:
https://developer.mozilla.org/en-US/docs/Security/CSP/Introducing_Content_Security_Policy

-- 
Micah Lee
https://twitter.com/micahflee

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk