[tor-talk] Tor Browser disabling Javascript anonymity set reduction [WAS: Basic questions ...]

proper at secure-mail.biz proper at secure-mail.biz
Sun May 13 12:51:39 UTC 2012

The FAQ entry is very questionable.
"Disabling JavaScript by default, then allowing a few websites to run scripts, is especially bad for your anonymity: the set of websites which you allow to run scripts is very likely to uniquely identify your browser."

I have to agree, that *theoretically* disabling Javascript is a anonymity set reduction, because probable most TBB users don't leave it enabled.

The problem is, it makes the false assumption, that the Javascript anonymisation in Torbutton is next to perfect. It's far from perfect. There are severe bugs open. If you go on ip-check.info you'll see, that with Javascript enabled, the site can still read how many and which fonts you have installed.
That's one bug I understand. I don't know if there are any other bugs open with such severe implications for browser fingerprinting.

That's way more severe than turning off Javascript at all.

Torproject probable also doesn't know, how many people turn off Javascript. How many people do use TBB? Or are they still using the mainline Firefox and torify like it was proclaimed years ago? Also if you look through some public forums, which discuss Tor, they also often still proclaim to turn off Javascript.

powered by Secure-Mail.biz - anonymous and secure e-mail accounts.

More information about the tor-talk mailing list