On 07/11/11 02:32, Andrew Lewman wrote: > I'd like to see someone do research that proves or disproves this fear that > javascript and cookies everywhere is hazardous to the anonymity of a tor user. > I don't know a better setting for noscript. I know what I use for settings > when I use the default TBB setup. The risks of traditional Netscape cookies are reasonably well understood, and can be controlled. However because JS can tamper with cookies the situation is more complicated than it seems. The intuitive problem with JS is that it feels like the part of the core browser architecture most likely to be vulnerable to a zero day attack. I use fluffy language here deliberately. There's quite a jump from that intuition to a falsifiable hypothesis, but it offers an explanation for cautious behaviour. NoScript offers other protections though which are more solid. Having Flash and Java turned off by default would seem to be a Good Thingâ. And it intercepts various XSS/XSRF and clickjacking techniques (i.e. the known problems with JS). I think it's safe to say that these are an anonymity issue, and it adds some weight to the intuitive feeling that allowing untrusted JS is not a good idea. An advantage of having JS blocked is that you'll be alerted if a page suddenly has a script you didn't expect. It could have been injected there somehow by an adversary. If you have scripts enabled globally you're not going to notice. Personally I think the above is reason enough to have an opt-in policy for scripting. Yes, it's a slight hassle on sites that depend heavily on JS, but it offers some reassurance that I won't be inadvertently handing over my details to a third party. Julian -- 3072D/D2DE707D Julian Yon (2011 General Use) <pgp.2011@xxxxxx>
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ tor-talk mailing list tor-talk@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk