Hi Jon, A few of your assumptions look incorrect. Here's some of my understandings. Jon Tullett: > My understanding is that NoScript shipped disabled in the TBB NoScript itself is enabled in the Tor Browser Bundle, configured to allow JavaScript globally. This configuration already adds protection from XSS and clickjacking attacks. It also allows users who wants it to disable JavaScript globally to do so with only two clicks. > because that would reduce the likelihood of the browser being > fingerprinted - a conscious decision intended to strengthen privacy. Users of the Tor Browser Bundle are identified as such. What we want is to have as little differences as possible between two different TBB users. Having JavaScript globaly enabled or not is irrelevant on that matter, as long as the configuration is the same for as many TBB users as possible. > However, it seems that doing so exposed users to a Javascript exploit > (and probably predictably so: Javascript's attack surface is famous). Having JavaScript enabled is also about exposing users to a web that works for them. When was the last time you have tried to surf with JavaScript disabled? How many websites were not working as you would expect them to? Do you have any experience in training users to enable/disable JavaScript on a per site basis? Also, I suggest you take a look at the following paper: <http://www.nds.rub.de/media/emma/veroeffentlichungen/2012/08/16/scriptlessAttacks-ccs2012.pdf> It shows that JavaScript is not the only thing than can be targeted to attack users. Disabling JavaScript will not prevent every possible attacks. > So I have two questions: [â] I have a hard time thinking of interesting answers to your questions given all of the above. -- Lunar <lunar@xxxxxxxxxxxxxx>
Attachment:
signature.asc
Description: Digital signature
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk