[tor-talk] Risk of selectively enabling JavaScript

Gerardus Hendricks konfkukor at riseup.net
Tue Jan 7 11:48:43 UTC 2014


> TBB enables JavaScript by default, presumably because many websites need
> JavaScript.  NoScript can be used to selectively allow JavaScript from
> certain domains, but doing so could make it possible to fingerprint your
> Tor use.
Let us try to define what "fingerprinting Tor use" means exactly. It 
clearly does not mean "detect if you are using Tor". It probably has 
more to do with detecting that a certain single TorBrowser installation, 
including all its settings and plugins, is communicating with a certain 
server. An adversary could detect this at the side of the exit node 
(possibly even in the case of encrypted traffic), but more importantly 
it can be detected at the side of the server.

When does the fingerprinting attack matter? Does it only apply when a 
user is using the same TorBrowser installation for identities or 
behaviors that the user wishes to keep separate? It is already 
recommended to restart the TorBrowser to disconnect behaviors. Wouldn't 
it be also recommendable to use different TorBrowser installation for 
different behaviors, or is this going too far?
> (I am not questioning the TBB default of allowing JavaScript; that
> probably should be the default even if it increases risk, for usability
> reasons.)
Please do question this. Don't fall into the false dichotomy between 
safety and usability. I believe there is a bug (feature request) in the 
tracker about adding a 'security slider' to Tor, that would allow users 
to make NoScript a lot stricter. Such a slider would make 
Javascript-avoiding users share roughly the same browser settings with a 
larger fraction of the Tor user base. Does anyone have a bugid?

There are bound to be edge case on which fingerprinting attacks can be 
launched. Please think about which slider implementation would result in 
lesser TorBrowser-installation specific settings.

Regards,
Gerard


More information about the tor-talk mailing list