[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Tor and JavaScript

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Tor and JavaScript
From: David Teller <dteller@xxxxxxxxxxx>
Date: Mon, 10 Dec 2018 13:17:21 +0100
Autocrypt: addr=dteller@xxxxxxxxxxx; prefer-encrypt=mutual; keydata= xsFNBFpXK/YBEADaA7n3+dWrBCrXCJ1YDvnZqPhG1xcQvD/nWpECOCQeZCJKwxjKHKqOOjGk QLx3S2y6yCJGvwmcgol4QmyJERmzv+kPVjmH8SoAeoOdzZkuwYLl3f2jiF1YWkMXNG7gTorq 8wrsLzQ2xUluca7fhyGfqWQKVSyIbiDY5EGT7oeDE0A99ShHKt7Ar6qtJp5R6rYJIM07gQSv MmdjYqZQiDhFbZlSd/MA6WCEv5u49AAlpvcKVgULrPZU4urgda4hulkoEVZrAsGX6xBJvTrH 0DcVpHap6dZHgws1VW/lHbCF326dXzkmRjIa4i0rbAzjExjPbPEDxnbGh7J79pyoH5yIJX6j uMASP3AxtL2+z17xUtlco6eJ+yRE/J/XcaV2DZpI4c+pMIkGodS5S7JDmhlcRcU+kn5d15V6 nQd7yxgof3nORP+HCV5xGz67tOIvshumvH9krygQ4TRzOJtz+zzaOz9TPUazfeCDnGaqRn7F NxW0m73Fp1vY1GBo8u5muc7Ha6TeCpwNDt7KTJHy9h4COGUz3z+rSpqKTPvxNPiZK6fel3EN oQWtlVwU1kejFiUUP7WiowgzqDqrnlDXFkIJ0S4nmwxNy7ClsTUG6b1I9TNP0Jb8no+gVuB0 2yAS4K6GYRbjwKv0u92aCjPxVOPpi94EMh4TmGEsFljVFm1GeQARAQABzSJEYXZpZCBUZWxs ZXIgPGR0ZWxsZXJAbW96aWxsYS5jb20+wsGUBBMBCAA+FiEEZaVchRAqGsXluGaZBeizTaIi kEEFAlpXK/YCGyMFCQlmAYAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQBeizTaIikEFO AQ/8D3nwXUUGbp7OQG5CnlJO2Y8grHVCjk/k/+DyG2muJeYFkujd4xGPvQWZATMfkCUY7Zsk kja6K98gOuwqsbbhHHGAy2nlNzs+QjxB3dnY4nE/jZG8u+Am2Jn/j7LnakN/kNdUhfVTOU76 kRoT4VNZBSbapGf9c+5Djjl4OeYvcGgRmpJJX9M6+SgM0sgFNIKyYa5D7LvN6YKsCo8q39le 2QOTpJtItGAR588Vi5TM3p0NVuFnLqZVk7aClqPizGUwTvY8hUvBZsm0rRDgUsjOh7OCxkfK QjcIz6tbmOpk8WbWHzzuSXp6i1gM4LmwQ6jYhiXlAel5lhXdvWHGdhtk17k9Z9Oj9QCby0Tk 5m6bmh4uMyaBfdx7cHqGeWMI6RCB62SF0kQZNwAZJMy0tW+ci0wVxnhllqZpmq31KlOH3y14 LdgMTNurAphh4GVRmdF3BMM834EP3K4Ne6xdKdEbfv4KZVhJvFbnXNAYiHiJEHgdazV5F9lw Zc7Ki3cy4eQaRYecZAtlMvonMVnl6LU3PPLwZb3aeMkbjh4IDojAB/gdfAh3GSCNbAj07izq KqfttZKcJx01Fn85UkqlYEPSq24M5CumNKU8mVTF8M23ZRQ6WGMBDdxrxX4W4LHjiKnfKS7R 9ZoIZkqlU5AXcOyfTRAMoi+6HnojsKLZQhhmGrHOwU0EWlcr9gEQANeMBxhRi93+Ettp67wy nzgmYdSjH/8NpYlgoJVnsjriRWdJd5MnWEPM9EofpEjiFd2blMjiWYtXFAiXFTraZeLFkym7 SraGHTBCXwa/MgF4Ap0DUIJOkU2AshQb6OrDr6vx5wlkyoR1Bc0IuBuqPQmM+GSSXDSeJvmc Jyafii8IkPDlQDG9qM4S0ZdGaLWQ+qCoD7Z/KCyI+gVongyBEVirNEQYewYnQublTgsPVUXb yAPP+Z3248lJys/OnM/b4/ucg4iistRfbFmVnvLHoboc3m88ufsGOvW9/tlW92qXxWGUazmE iw9g9IjDxUeUIPfCIeemdmgit9TSx2dWquILtQQtkZHTYhf/adzPtq7h5A+RLzZfl93B+MwW OhTEyiA9ive7LA3WzuVCaRrU9DKVKYUcicWN2Xf34F66fJVMSB7UeVGLSEXrMZRbV75ZsY+J AyS8pA0FPa1iVYAWR/UEP5HUNreXJYxWjo1qFlf7wfqzhuQhe46g2v8C1FLyC5AF2KC8prdr HSJsMIbEzr5ZR4g8hlVriLi/HXDFLF2e9oMdQx6dPN0YlyqmJ2SkMFlFlHovxi4ydOrOOfn5 rhqjO8NPaiFyZgOKgggkHrnUMH5IlFTaua73K7shWcvrUQXKsU3Nw5jhssQ9XhfFijVp/Ug7 1nbl2GWqDASEKAn9ABEBAAHCwXwEGAEIACYWIQRlpVyFECoaxeW4ZpkF6LNNoiKQQQUCWlcr 9gIbDAUJCWYBgAAKCRAF6LNNoiKQQUX+EADVrDwLF2eRWMyaeQw/7E7FTkw9cBFXcbj2c0Oh cV0LCAjeCnHyR/8YVK3NoKWIyoofMAsQO0102IimGUqTqqd3ZKV0hhPLVQP3djkyT3REF864 lD3gUZWy5nkCfR5WFduI0WtTbqSn8jdSdRbJIJKRFwdDImt+lP+5vkaInO3wQ/FIt52jlFM+ LfbT3o43auku8wX8TCeF6RMfvLlnWMMd8TUQCt/kzzwX5Za80SHp8Gufiz6iFqcanQaKa/pn E4ZC3/SDk0IGvEuO0W4Q3gU4ZgfM8ywGJgfdmrotrR07fyiDOHdun/bKtwd/HRm5DToWuRRt jj9JzkOsruNjF+8EhBXCMUMy8ATGwPdyH3s9rzMkSUfyR1h31oJi2OEW/qed+ohBXrXaVUlA IRq402bFc0Ohcw1n0gV+Zxh3m0H9C23LXMn2ur8P3+j6KlwROS7RSyY0sJ/CtJ76C323n+H/ W1Se7W0uv3lRmz7N4F6U3GD2PzjoQXhNngLMEabLzGqsEVOw5uwLy9fqPe1NKk8GY0J4AOxz UxFVTCTY53aG9B74MHA9T4/+jJGavh2khdFslZ1liiqx0jyB2DQ7zHZxlQtsRJh17wy2jRKH EWaRChnmM6IXu1XMUjevnRmkwCBc3ccvvtwinRhJD7nSMJ5S+8ydhx1BzcHG/n+coMqFYQ==
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 10 Dec 2018 07:17:35 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mozilla.com; s=google; h=subject:to:references:from:openpgp:autocrypt:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=i4vxAQpfVo6t+egzXJvJN7gerx31LVOkx2KsIZnrNLk=; b=DhwPGe9++/6VUnEXFLW3ybEa9acULbKd4+vFR9NGYMnxYlRt43YeznuKA3lK/kvI4Y D7sFm+P6348RfnsNTXBavQxMtm1fX/offNxmG3AXROghMDu3qTE0szJKHm4WXJcmgAMa 4toDOIM2pRfBNztQOo/+yenRq6ICLdkHMHtXs=
In-reply-to: <7cab04e239b00f6c67374c33eaeb7db5.squirrel@danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
Openpgp: preference=signencrypt
References: <7cab04e239b00f6c67374c33eaeb7db5.squirrel@danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Thunderbird/60.3.2

Well, there are many ways to use JavaScript to deanonymize you.

For instance, JS can be used to measure the speed of specific operations
on your computer, which already gives some information on what kind of
computer you are using. Firefox contains some counter-measures against
this, TorBrowser contains even more, but nothing is 100% safe.

Depending on your processor, there are also known attacks that work
inside a process or across processes that can be triggered in JavaScript
and used to read some of your memory. Again, your OS has
counter-measures, Firefox has counter-measures, TorBrowser has
counter-measures, but nothing is 100% safe.

Finally, JS has access to a number of APIs that can accidentally be used
to identify you (e.g. there are ways to find out your list of fonts, and
list of fonts are typically different from a computer to the other one).
Usually, these holes are plugged in TorBrowser, but there may be holes
that have escaped the attention of devs.

I personally browse with JS activated, because I have very low safety
requirements (I use TorBrowser as a VPN, largely to increase deniability
by people who really need this), but YMMV.

Cheers,
 David

On 10/12/2018 12:52, jiggytwiggy@xxxxxxxxxxxxx wrote:
> Are there any serious disadvantages to using JS with the TBB.
> 
> As we know, disabling JS prevents some sites working at all while other
> sites has reduced functionality.
> 
> Correct me if I am wrong, but I'm sure that server-side JS cannot get the
> user's real (non-Tor) IP address.
> 
> If that's correct, what's the problem with using JS and the TBB?
> 
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- [tor-talk] Tor and JavaScript
  - From: jiggytwiggy

Prev by Author: Re: [tor-talk] "Tor Circuit" list in TBB displaying incorrect exit node and IP address
Next by Author: [tor-talk] comparison of Tor and Kovri in regards to deanonymization attacks
Previous by thread: [tor-talk] Tor and JavaScript
Next by thread: Re: [tor-talk] Tor and JavaScript
Index(es):
- Author
- Thread