[tor-talk] Javascript vs privacy?

scarp scarp at riseup.net
Wed Aug 7 11:11:16 UTC 2013

Hash: SHA512

I understand that JavaScript was enabled globally in the Tor Browser
Bundle for usability reasons as well as to prevent browser
fingerprinting. I believe this is the correct decision.

If the torproject were to disable it by default, that would not ensure
that users are protected in the future by similar methods. Sites can
be written in a way that if you do not allow JavaScript they simply
won't work at all. If I was writing an exploit I'd do this to
frustrate users so hopefully they enable JavaScript and accept my
exploit. Also future exploits may not use JavaScript, but may somehow
socially engineer the user into installing a browser extension or
something like that.

This brings us to another issue. This exploit wasn't new. It
had been on the Mozilla bug tracker for a while. Users running the
latest Tor Browser Bundle (17.0.7) didn't have any issues as their
browsers had been patched.

It is inappropriate for a web browser to not be automatically updated.
In this day and age where we have full disclosures about critical
bugs, we must also have a way for users to get patches easily and
effortlessly, let's please keep vulnerabilities to be 0day rather than
0month, or 0year.

Had the Tor Browser's update mechanism been working like the official
Mozilla Firefox browser and Google Chrome, this would not have been
nearly as serious.

Whonix users of course were protected in 3 ways, firstly whonixcheck
would have warned them about an outdated browser, secondly hardware
addresses would have been masked by virtual network interfaces and
thirdly the network isolation it provides would have made this kind of
exploit not possible in the first place.

TAILS users would have been protected similarly, from the first and
third issue.

I'd like to see torproject make a push for isolated network setups,
because the cold hard truth is running the Tor Browser Bundle on
windows while easy for the users is a nightmare for the developers,
and keeping it secure is a big, big task. Maybe even an officially
supported Tor distribution.

The Tor Browser Bundle has to work with the network configuration the
user has given it, which most certainly is not going to prevent
arbitrary code from directly contacting remote servers and
circumventing the Tor service.

Given the successfulness of this of this vector you can bet this will
become something governments will look to investing in, in the future.

- -- 
scarp | A4F7 25DB 2529 CB1A 605B  3CB4 5DA0 4859 0FD4 B313


More information about the tor-talk mailing list