[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] TBB "Security Level" Question.

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] TBB "Security Level" Question.
From: Mike <mikely@xxxxxxxxxx>
Date: Mon, 10 Feb 2020 23:43:18 +0200
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 11 Feb 2020 02:27:14 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1581371005; bh=39JGR2Bo7KxLCi+9mSJnnixpKCUUKk8kwCxG8ctwa7A=; h=Date:From:To:Subject:In-Reply-To:References:Reply-To:From; b=qMjCX8Mf2AiJb9k9JfIG3HjC/rXVQQGyPcgZs6VB+EWvpihHAokpPf8lcL3DzIOZ5 0KBE3pFhgCEcsmDGeJwJBXZ58Bq6uvNJJA2RLTAS7CoqH0dU3w9LQMOEi3oz9cBPRB 4k0AcU00DB+fsicOaA3SzWkAp8eXkpF+aZ3QGPIg=
In-reply-to: <a2858af242d71108ccebc53af60e3783.squirrel@danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <a2858af242d71108ccebc53af60e3783.squirrel@danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

[Disclaimer: a non expert view on the subject]

JavaScript is a way for sites to fingerprint you much more accurately.
Once fingerprinted, it doesn't really matter from what IP address you
are connecting. Your activity on the web can be correlated even if you
browse from different IP addresses each time.

So there is a good reason to keep JS, WASM and anything that downloads
and executes remote code on your computer off by default. That is
indeed the highest security level for a reason. Of course having JS off
is itself a dimension which can be used as part of a fingerprint but it
is far less significant than the multiple dimensions a JS=on setting
would give you.

*Not to forget that JS in combination with non-mitigated CPU
vulnerabilities can be a much bigger security whole (e.g. a script
reading the contents of your RAM as demonstrated by Google Project
Zero).
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- [tor-talk] TBB "Security Level" Question.
  - From: mimble9

Prev by Author: [tor-talk] How to build circuits manually to request a different Tor exit IP address?
Next by Author: [tor-talk] Tor and sources.list
Previous by thread: [tor-talk] TBB "Security Level" Question.
Next by thread: Re: [tor-talk] TBB "Security Level" Question.
Index(es):
- Author
- Thread