[tor-talk] NoScript for TOR disabled by default

Thu Jan 30 15:22:29 UTC 2014

Thanks for your comment.

In fact, I am worried with the Wireless Position System developed by 
google and others, and the introduction in the browsers, like firefox, a 
way to track which wireless networks the computer can "see" in a given 
moment. Based on that they identify the user physical (because google 
street view mapped the wireless network physical location), fingerprint 
the computer and, possibly, track other key information.

Seems that this critical issue is not currently handled by TOR.

Sukhoi

On 30/01/2014 07:27, Moritz Bartl wrote:
> On 01/30/2014 04:11 AM, Sukhoi wrote:
>>> https://www.torproject.org/docs/faq.html.en#TBBJavaScriptEnabled
>> Thanks for the link. I can understand the reason to keep noscript
>> enabled by default, but most of the users are not aware about the risks
>> associated with javascript and even many experts underestimate it; most
>> of the tracking/spying tools are javascript based.
> Tracking is not so much an issue in Tor Browser, as by design, you can
> request a new session ("New Identity"), and also you're not tracked
> between browser sessions.
>
> If you're worried about being tracked within one session, well, then
> Javascript is only one of the many things you would have to worry about.
>
> In scope of Tor Browser is fingerprinting /across/ sessions. Which is
> why Tor Browser disables or fakes certain values (like installed fonts
> etc), to make fingerprinting and thus tracking /across/ sessions harder.
> Anti-fingerprinting patches are the main reason why you should not use a
> regular Firefox, but always Tor Browser.
> https://www.torproject.org/projects/torbrowser/design/
>
> Tor Browser's design goal is that it should not leak any more
> fingerprintable information with Javascript enabled than with Javascript
> disabled.
>
>> I can understand the intention on not frustrate many users, but is not
>> TOR a tool intended to, primarily, provide security and anonymity,
>> instead convenience?
> Tor Browser already sacrifices much 'convenience' (usability). Many
> users want Flash, Java, and other plugins. It is really only a matter of
> defaults, since it takes only a few clicks to disable Javascript if you
> really don't want it. I agree, people with enough knowledge to
> understand what breaks when you disable Javascript (and that is A LOT
> these days), especially subtle things like a button not working etc.,
> should disable Javascript. For regular users, it is just not obvious
> when something on a website doesn't work -- it doesn't clearly tell you
> that something is missing/disabled (compared to Flash, for example).
>
> Personally, I have Javascript disabled in TBB. (and in my non-Tor
> browser if I need it) I don't mind quickly changing the default with
> every TBB update.
>