[tor-talk] browser fingerprinting

Aymeric Vitte vitteaymeric at gmail.com
Mon Apr 14 22:47:21 UTC 2014 

Yes, of course js is not at all the cause of the problems described in 
this thread, strange that this very wrong idea is still popular.

JS can not prevent you from hacking yourself if you like which is what 
the links provided here are about.

That's even the contrary, you can not hide js code, whatever obfuscation 
means you are using it's very easy to see what it is doing.

But you can run js code as a standalone app, ie without loading the code 
from the outside and using third parties to check that you have the 
correct one, because loading the code is the only issue about js.

Assuming that js devs are following good practices, if the code is 
sandboxed and you can not access js objects via other means (like DOM 
nodes) then there is no way you can hack into it.

And for sure js can not access anything on your computer outside of the 
browser's world (ie outside of what you have authorized it to access)

This is what I have tried to explain for this project here 
http://www.peersm.com (Distributed anonymous P2P based on Tor protocol 
inside browsers, so a js app)

Regards

Aymeric

Le 14/04/2014 20:43, Roger Dingledine a écrit :
> On Mon, Apr 14, 2014 at 08:19:11PM +0200, Thomas Asta wrote:
>> Nils that ia simply untrue. JS accesses the local machine where the briwser
>> is.
>> Am 14.04.2014 20:11 schrieb "Nils Kunze" <kunze.nils at gmail.com>:
>>
>>> As these requests will be sent out via the tor network, this will not leak
>>> your real ip but just the ip of your exit relay, which is known anyways.
> Sorry, I suggest you all learn more about javascript and read the
> links in question.
>
> There aren't any known ways for JavaScript to learn the client's IP
> address locally. Assuming there aren't further browser exploits of
> course. And those exploits can be in any part of the browser, not
> just JavaScript. Though historically a lot of vulnerabilities have been
> in JavaScript.
>
> The links in this thread point to external "what's my IP" sites that
> you can ask the client to fetch -- but the fetch will go over Tor,
> so it will tell you a Tor exit relay's IP address.
>
> For more info on the Tor side, see
> https://trac.torproject.org/projects/tor/ticket/9387
> including the line in
> https://blog.torproject.org/blog/tor-browser-36-beta-2-released
> where we're experimenting with disabling some Javascript implementation
> optimizations that have historically been the source of many
> vulnerabilities.
>
> and more broadly,
> https://www.torproject.org/docs/faq#TBBJavaScriptEnabled
>
> And yes, sandboxes and firewalls do seem like a great idea, for tolerating
> implementation (and heck, protocol) flaws. I'm glad people are working
> on making them both effective and usable. We need more people in the
> world working on that.
>
> --Roger
>

-- 
Peersm : http://www.peersm.com
node-Tor : https://www.github.com/Ayms/node-Tor
GitHub : https://www.github.com/Ayms

More information about the tor-talk mailing list