[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] TBB "Security Level" Question.



[Disclaimer: a non expert view on the subject]

JavaScript is a way for sites to fingerprint you much more accurately.
Once fingerprinted, it doesn't really matter from what IP address you
are connecting. Your activity on the web can be correlated even if you
browse from different IP addresses each time.

So there is a good reason to keep JS, WASM and anything that downloads
and executes remote code on your computer off by default. That is
indeed the highest security level for a reason. Of course having JS off
is itself a dimension which can be used as part of a fingerprint but it
is far less significant than the multiple dimensions a JS=on setting
would give you.

*Not to forget that JS in combination with non-mitigated CPU
vulnerabilities can be a much bigger security whole (e.g. a script
reading the contents of your RAM as demonstrated by Google Project
Zero).
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk