[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Recommended setting for NoScript's Javascript?



I have solved many problems with javascript based websites by disabling the
"apply these settings to whitelisted sites" and "cascade permissions to
whitelisted sub-sites". That has worked for me in all situations

On 3 February 2016 at 10:23, <
BM-2cTPSBeTK5RpF8A9ymciUDMaX61KzvzJu6@xxxxxxxxxxxxx> wrote:

> I'm embarrassed I didn't notice the JavaScript explanation in the FAQ's.
> Also thank you for the info on the ARS Technica points.
>
> I have noticed in looking at a few more secure email services that they
> either have access without JavaScript enabled but don't have built in
> encryption, or the reverse, encryption provided but access only with Java
> Script enabled.  If you are aware of a service with both attributes it
> would be interesting to check it out.
>
> Thank you for your very clear explanation Roger, it was very helpful.
>
> > On Tue, Feb 02, 2016 at 05:44:00AM -0800,
> > BM-2cTPSBeTK5RpF8A9ymciUDMaX61KzvzJu6@xxxxxxxxxxxxx wrote:
> >> I am sorry to ask such a basic question but I am confused by
> >> whether I should have the Tor browser set to;
> >> a. Temporary allow this page
> >> b. Revoke Temporary Permissions
> >> c. allow scripts globally
> >
> > It defaults to 'c', because otherwise many users would find websites
> > broken and not understand what's going on:
> > https://www.torproject.org/docs/faq#TBBJavaScriptEnabled
> >
> >> Today I perhaps made the error of changing the setting to revoke
> >> temporary
> >> permissions, but after I did this an encrypted email website I just
> >> began
> >> to use stated that it would not allow access because JavaScript needed
> >> to
> >> be
> >> enabled.
> >>
> >> After changing the setting to "Temporary allow this page" then I could
> >> again access email in one encrypted email service.  However now I can no
> >> longer access another encrypted email service (an impressive one)which
> >> has
> >> been working perfectly for me for weeks.
> >>
> >> So please inform me which setting I should be using.  (Or alternatively
> >> I
> >> could delete the Tor browser and just install it again to see the
> >> initial
> >> setting)
> >
> > It sounds like you've figured out how NoScript works. It is indeed a
> > bit safer to leave JS disabled globally, and enable it site-by-site when
> > you find that you need it. If you're comfortable doing it that way, go
> > for it -- it will be a bit safer than leaving everything enabled.
> >
> > I say "a bit safer" because, while reducing surface area for complex
> > things like JavaScript is good, there are many other parts of the browser
> > that are complex too. This is an area with quite some controversy over
> > the past years, since several attacks from the FBI have used JavaScript
> > vulnerabilities, and "they could have used other attacks" and "but they
> > *did* use this attack" are both valid points. (If you want to be one of
> > the users who disables JavaScript entirely, and then ends up even
> > angrier at Cloudflare, this is a legitimate choice too.)
> >
> >> Also, I thought it would be helpful to forward some important
> >> information
> >> I just encountered today.  Please read the ARS Technica article at the
> >> link below.  I found this by way of a Reddit thread.
> >> ...
> >>
> http://arstechnica.com/security/2016/02/default-settings-in-apache-may-decloak-tor-hidden-services/
> >
> > Yes, this is a known thing. It's one of the reasons Micah wrote
> > up the best practices list for onion service operators:
> >
> https://help.riseup.net/en/security/network-security/tor/onionservices-best-practices
> >
> > --Roger
> >
> > --
> > tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> > To unsubscribe or change other settings go to
> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> >
>
>
>
> --
> tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk