On 01/15/2013 12:14 AM, Joe Btfsplk wrote: > Never say never - but I don't know that the real risk of js is leaking > identity so much as someone running malicious code on sites you don't > know or shouldn't trust. There isn't much risk of identity leaking by enabling javascript in your browser. The most javascript should be able to do is fingerprint your browser profile to detect plugins, fonts, etc. By using the Tor Browser Bundle rather than just a normal web browser proxied through Tor, most (with the goal of all) of these fingerprinting attempts are mitigated. So I think it's perfectly fine to enable javascript for Yahoo mail. If you're going to be using Yahoo mail, make sure you turn on SSL: https://www.eff.org/deeplinks/2013/01/yahoo-mail-makes-https-available There are definitely security concerns though, the biggest being using javascript on a website that someone else has discovered an XSS bug on. And browser zero days are much more likely to be exploited through the use of javascript, etc. That said, these days there are serious usability advantages that javascript provides, especially for sites like Google Maps. If done correctly, it can be used to *increase* security in some cases (such as the payment processor Stripe's use of ajax), and it can be used to make content load faster and use less bandwidth, such as Twitter letting you load only recent tweets without refreshing the entire page. And many web developers build javascript functionality and don't bother to make it work for NosScripters, which is annoying, but sometimes the functionality they're going for is impossible without javascript. Javascript is kind of the future of the web, and it's only going to be more prevalent as time goes on. And unlike in the 90s, it's genuinely useful now, not just for adding bling to your site. Rather than be down on javascript, I think it's more production to figure out ways to make javascript more secure, like: https://developer.mozilla.org/en-US/docs/Security/CSP/Introducing_Content_Security_Policy -- Micah Lee https://twitter.com/micahflee
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ tor-talk mailing list tor-talk@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk