[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Risk of selectively enabling JavaScript



TBB enables JavaScript by default, presumably because many websites need
JavaScript.  NoScript can be used to selectively allow JavaScript from
certain domains, but doing so could make it possible to fingerprint your
Tor use.

By my judgment, you are more likely to be deanonymized by a Firefox
JavaScript vulnerability than fingerprinting due to selective JavaScript
allowance, so it is more secure to use NoScript to selectively allow
JavaScript.  I am curious whether others agree with this assessment?  We
know that Firefox vulnerabilities have been used to deanonymize Tor
users, but we have never seen a fingerprinting attack used, AFAIK.

(I am not questioning the TBB default of allowing JavaScript; that
probably should be the default even if it increases risk, for usability
reasons.)

dhanlin
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk