[tor-talk] Javascript vs privacy?

Jon Tullett jon.tullett at gmail.com
Wed Aug 7 07:28:17 UTC 2013


On 6 August 2013 16:31, Lunar <lunar at torproject.org> wrote:
> Hi Jon,
>
> A few of your assumptions look incorrect. Here's some of my
> understandings.

Thanks Lunar, appreciate the input. You raise good points.

>
> Jon Tullett:
>> My understanding is that NoScript shipped disabled in the TBB
>
> NoScript itself is enabled in the Tor Browser Bundle, configured to
> allow JavaScript globally. This configuration already adds protection
> from XSS and clickjacking attacks. It also allows users who wants it to
> disable JavaScript globally to do so with only two clicks.

Yes - I was summarising and you caught me. That's how I understood it
too: NS was installed by default with some features enabled but the
Javascript filtering specifically was disabled by default. I should
have been clearer.

Re the JS filter, granted, users can turn it on, but it's probably
reasonable to assume (as the attacker here correctly did) that most
users will not.


>> However, it seems that doing so exposed users to a Javascript exploit
>> (and probably predictably so: Javascript's attack surface is famous).
>
> Having JavaScript enabled is also about exposing users to a web that
> works for them. When was the last time you have tried to surf with
> JavaScript disabled?

Today. I use NoScript by default when I browse with Firefox, because
some tasks demand it.

Sometimes it's a pain, as you say, but that's a compromise I make
knowingly and willingly. I also use Lynx daily, so I'm kinda used to
the web not looking like it does for most people :)

Here's the thing though: when I use Tor (which I do), I do so knowing
I'm making certain compromises: my usual ecosystem of browser plugins
will not be available, scripting will be disabled, network performance
will be slow, etc. I'm not sure I'm convinced by the "it's a
compromise" argument, because I'm making several already.

But some people wouldn't want to, you're right. And that's why I asked
about awareness - is there scope for better communicating to a user
(such as in the Tor browser homepage) that JS is enabled to improve
their browsing experience and enhance privacy, but it may open them to
(another) attack and here's how it can be disabled? If not, I'd be
very interested to know the thinking behind that decision - it feels,
to me, to be a decision not to inform a userbase of a clear and
present danger.


> How many websites were not working as you would
> expect them to?

Well, none, but that's because I know what to expect. But your point
is valid - most users would find the web badly broken with JS
disabled.


> Do you have any experience in training users to
> enable/disable JavaScript on a per site basis?

I do - I have a security background. But _regular_ users, no - no
chance. Lab workers, yes. However, I wouldn't classify Tor users as
regular users - they are people who are taking extraordinary steps to
protect themselves. One more extraordinary step doesn't seem that
implausible, but then I probably do have a biased perspective.


> Also, I suggest you take a look at the following paper:
> <http://www.nds.rub.de/media/emma/veroeffentlichungen/2012/08/16/scriptlessAttacks-ccs2012.pdf>
>
> It shows that JavaScript is not the only thing than can be
> targeted to attack users. Disabling JavaScript will not prevent every
> possible attacks.

Definitely! The attack surface of the modern browser is a wonderful
thing to behold. But surely you aren't suggesting that because another
attack vector exists, we shouldn't defend others? That's kinda the
whole reason for Tor to exist, no? "There are some ways your privacy
can be violated that we can't help with, but we will do what we can to
mitigate as many as possible..."


>> So I have two questions: […]
>
> I have a hard time thinking of interesting answers to your questions
> given all of the above.

This is an interesting discussion anyway, so thank you. I think the
questions, in context, boil down to this:

Knowing that TBB users can be attacked a certain way, and knowing that
at least one attack has taken place, should/will the configuration
and/or messaging be re-evaluated?

You're right in the points you raise - they aren't new points, and I'm
sure they were taken into account when the existing decisions were
taken. Those points would have been on one side of the balance, with
possible security considerations on the other. So what I'm asking is,
in the light of this incident, does that balance shift?

Should stress that I'm ok with the answer being "no" :) I'm here to
report, not to criticise.

-Jon


More information about the tor-talk mailing list