[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Recommended setting for NoScript's Javascript?



I'm embarrassed I didn't notice the JavaScript explanation in the FAQ's.
Also thank you for the info on the ARS Technica points.

I have noticed in looking at a few more secure email services that they
either have access without JavaScript enabled but don't have built in
encryption, or the reverse, encryption provided but access only with Java
Script enabled.  If you are aware of a service with both attributes it
would be interesting to check it out.

Thank you for your very clear explanation Roger, it was very helpful.

> On Tue, Feb 02, 2016 at 05:44:00AM -0800,
> BM-2cTPSBeTK5RpF8A9ymciUDMaX61KzvzJu6@xxxxxxxxxxxxx wrote:
>> I am sorry to ask such a basic question but I am confused by
>> whether I should have the Tor browser set to;
>> a. Temporary allow this page
>> b. Revoke Temporary Permissions
>> c. allow scripts globally
>
> It defaults to 'c', because otherwise many users would find websites
> broken and not understand what's going on:
> https://www.torproject.org/docs/faq#TBBJavaScriptEnabled
>
>> Today I perhaps made the error of changing the setting to revoke
>> temporary
>> permissions, but after I did this an encrypted email website I just
>> began
>> to use stated that it would not allow access because JavaScript needed
>> to
>> be
>> enabled.
>>
>> After changing the setting to "Temporary allow this page" then I could
>> again access email in one encrypted email service.  However now I can no
>> longer access another encrypted email service (an impressive one)which
>> has
>> been working perfectly for me for weeks.
>>
>> So please inform me which setting I should be using.  (Or alternatively
>> I
>> could delete the Tor browser and just install it again to see the
>> initial
>> setting)
>
> It sounds like you've figured out how NoScript works. It is indeed a
> bit safer to leave JS disabled globally, and enable it site-by-site when
> you find that you need it. If you're comfortable doing it that way, go
> for it -- it will be a bit safer than leaving everything enabled.
>
> I say "a bit safer" because, while reducing surface area for complex
> things like JavaScript is good, there are many other parts of the browser
> that are complex too. This is an area with quite some controversy over
> the past years, since several attacks from the FBI have used JavaScript
> vulnerabilities, and "they could have used other attacks" and "but they
> *did* use this attack" are both valid points. (If you want to be one of
> the users who disables JavaScript entirely, and then ends up even
> angrier at Cloudflare, this is a legitimate choice too.)
>
>> Also, I thought it would be helpful to forward some important
>> information
>> I just encountered today.  Please read the ARS Technica article at the
>> link below.  I found this by way of a Reddit thread.
>> ...
>> http://arstechnica.com/security/2016/02/default-settings-in-apache-may-decloak-tor-hidden-services/
>
> Yes, this is a known thing. It's one of the reasons Micah wrote
> up the best practices list for onion service operators:
> https://help.riseup.net/en/security/network-security/tor/onionservices-best-practices
>
> --Roger
>
> --
> tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>



-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk