[tor-talk] Risk of selectively enabling JavaScript

Michael Wolf mikewolf53 at gmail.com
Tue Jan 7 10:09:23 UTC 2014


On 1/6/2014 12:39 PM, dhanlin wrote:
> TBB enables JavaScript by default, presumably because many websites need
> JavaScript.  NoScript can be used to selectively allow JavaScript from
> certain domains, but doing so could make it possible to fingerprint your
> Tor use.
> 
> By my judgment, you are more likely to be deanonymized by a Firefox
> JavaScript vulnerability than fingerprinting due to selective JavaScript
> allowance, so it is more secure to use NoScript to selectively allow
> JavaScript.  I am curious whether others agree with this assessment?  We
> know that Firefox vulnerabilities have been used to deanonymize Tor
> users, but we have never seen a fingerprinting attack used, AFAIK.
> 
> (I am not questioning the TBB default of allowing JavaScript; that
> probably should be the default even if it increases risk, for usability
> reasons.)
> 
> dhanlin
> 

I agree -- while a JS vulnerability can outright deanonymize someone
(location revealed), selectively enabling JS at worst allows
fingerprinting with location kept private.

I've not investigated how TBB handles things like 3rd-party cookies and
remote .js files when JavaScript is disabled, but it seems like simply
not loading/storing these things would make it next to impossible to
actually fingerprint someone.  Considering that exit nodes are rotated,
is it possible anyone could determine it was the same browser viewing
youtube with JS turned on and CNN with JS turned off?  What would allow
this?


More information about the tor-talk mailing list