[tor-talk] Tor Browser disabling Javascript anonymity set reduction

Mike Perry mikeperry at torproject.org
Sun May 13 21:26:59 UTC 2012

Thus spake proper at secure-mail.biz (proper at secure-mail.biz):

> https://www.torproject.org/docs/faq.html.en#TBBJavaScriptEnabled The
> FAQ entry is very questionable.  "Disabling JavaScript by default,
> then allowing a few websites to run scripts, is especially bad for
> your anonymity: the set of websites which you allow to run scripts is
> very likely to uniquely identify your browser."
> I have to agree, that *theoretically* disabling Javascript is a
> anonymity set reduction, because probable most TBB users don't leave
> it enabled.
> The problem is, it makes the false assumption, that the Javascript
> anonymisation in Torbutton is next to perfect. It's far from perfect.
> There are severe bugs open. If you go on ip-check.info you'll see,
> that with Javascript enabled, the site can still read how many and
> which fonts you have installed.
> https://trac.torproject.org/projects/tor/ticket/2872
> https://trac.torproject.org/projects/tor/ticket/4797

Actually, the FAQ makes two assumptions:

1. That nearly all of the information available to Javascript is also
available to CSS and HTTP even when JS is disabled. This includes fonts,
desktop resolution, browser widget resolution, caching-based
identifiers, and probably a few more things, too.

2. The additional amount of information JS provides beyond these things
is not substantial, if properly mitigated.

That said, disabling JS all-or-nothing is probably not a very big hit
right now with our current userbase. Enough people probably do it that
you still have an anonymity set. But, as the demographics of our
userbase change as it (hopefully) becomes easier to use Tor, this will
be less and less true.

However, disabling a whole random collection of random junk specific to
you is a *huge* hit, if anyone bothers to look.  You cannot expect to be
able to use the same web service under two different accounts if you use
3rd party domain JS filtering features of NoScript, for example. They
will have a wealth of fingerprinting information based simply on the
scripts you choose to download and run, if they care to look.

> That's one bug I understand. I don't know if there are any other bugs
> open with such severe implications for browser fingerprinting.
> https://trac.torproject.org/projects/tor/query?status=accepted&status=assigned&status=needs_information&status=needs_review&status=needs_revision&status=new&status=reopened&component=Torbutton&order=priority&col=id&col=summary&col=component&col=type&col=status&col=priority&col=milestone

You want likely want this query instead:

> Torproject probable also doesn't know, how many people turn off
> Javascript. How many people do use TBB? Or are they still using the
> mainline Firefox and torify like it was proclaimed years ago? Also if
> you look through some public forums, which discuss Tor, they also
> often still proclaim to turn off Javascript.

Concerns about Javascript are rooted in two avenues:

1. Fingerprinting concerns.

2. Zero-day exploits against Firefox.

The reason we feel that leaving Javascript enabled trumps these concerns

1. We want enough people to actually use Tor Browser such that it
becomes less interesting that you're a Tor user. We have plenty of
academic research and mathematical proofs that tell us quite clearly
that the more people use Tor, the better the privacy, anonymity, and
traffic analysis resistance properties will become.

In fact, my personal goal is to grab the entire "Do Not Track" userbase
from Mozilla. That userbase is probably well in excess of 12.5 million

I do *not* believe we can capture that userbase if we ship a
JS-disabled-by-default browser.

2. Exploitable vulnerabilities can be anywhere in the browser, not just
in the JS interpreter. We disable and/or click-to-play the known major
vectors, but the best solutions here are providing bug bounties (Mozilla
does this; we should too, if we had any money) and sandboxing systems
(Seatbelt, AppArmor, SELinux).

Hope this clarifies some things for you.

Mike Perry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20120513/6f81282e/attachment.pgp>

More information about the tor-talk mailing list