[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Javascript vs privacy?



Hi Jon,

A few of your assumptions look incorrect. Here's some of my
understandings.

Jon Tullett:
> My understanding is that NoScript shipped disabled in the TBB

NoScript itself is enabled in the Tor Browser Bundle, configured to
allow JavaScript globally. This configuration already adds protection
from XSS and clickjacking attacks. It also allows users who wants it to
disable JavaScript globally to do so with only two clicks.

> because that would reduce the likelihood of the browser being
> fingerprinted - a conscious decision intended to strengthen privacy.

Users of the Tor Browser Bundle are identified as such. What we want is
to have as little differences as possible between two different TBB
users. Having JavaScript globaly enabled or not is irrelevant on that
matter, as long as the configuration is the same for as many TBB users
as possible.

> However, it seems that doing so exposed users to a Javascript exploit
> (and probably predictably so: Javascript's attack surface is famous).

Having JavaScript enabled is also about exposing users to a web that
works for them. When was the last time you have tried to surf with
JavaScript disabled? How many websites were not working as you would
expect them to? Do you have any experience in training users to
enable/disable JavaScript on a per site basis?

Also, I suggest you take a look at the following paper:
<http://www.nds.rub.de/media/emma/veroeffentlichungen/2012/08/16/scriptlessAttacks-ccs2012.pdf>

It shows that JavaScript is not the only thing than can be
targeted to attack users. Disabling JavaScript will not prevent every
possible attacks.

> So I have two questions: [â]

I have a hard time thinking of interesting answers to your questions
given all of the above.

-- 
Lunar                                             <lunar@xxxxxxxxxxxxxx>

Attachment: signature.asc
Description: Digital signature

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsusbscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk