[tor-talk] User views on lesser of 2 evils_Tor FAQ on using java script
Joe Btfsplk
joebtfsplk at gmx.com
Sat Jul 26 19:26:18 UTC 2014
How do some more advanced Tor users feel about pros & cons of leaving
java script constantly enabled or selectively enabling it?
The overall java script issue & advice given at different times in
different places can get confusing.
From https://www.torproject.org/docs/faq#TBBJavaScriptEnabled:
"There's a tradeoff here. On the one hand, we should *leave JavaScript
enabled* by default so websites work the way users expect. On the other
hand, we should *disable JavaScript* by default to better protect
against browser vulnerabilities ( not just a theoretical concern!). But
there's a *third issue*: websites can easily determine whether you have
allowed JavaScript for them, and if you disable JavaScript by default
but then allow a few websites to run scripts (the way most people use
NoScript), then your choice of whitelisted websites acts as a sort of
cookie that makes you recognizable (and distinguishable), thus harming
your anonymity. "
Unless you're seriously hard core in how you use TBB (visit only sites
KNOWN not to use JS), you're effectively forced into either
* disabling js completely & not being able to use / see a lot of the net
(even hard core news sites, etc.) - that's bad.
* selectively enabling js - which the FAQ says is also bad.
* leaving js on 100%. Which is also said to be bad.
Yes, I understand what happens with & w/o JS, as to sites detecting info
(if interested). The issue is being "...between a rock & a hard place."
Seems we must make a choice: Whether more concerned about "some" sites
detecting JS is DISabled, while others detect it's ENabled (&
presumably, these sites are jointly owned, or all share info or 3rd
party trackers are advanced enough to ID even a "stock" Torbrowser, from
one site to another).
If one or more of the latter 3 scenarios isn't true (or something
similar), then one site detecting JS is off & another detecting it's on,
isn't an issue.
Seems the advice given in different areas may conflict. There are a
good many advanced users not in favor of having JS enabled by default in
TBB.
Unless they *only* visit JS free sites, they're forced to selectively
enable it, unless don't care about broken sites.
But, enabling JS allows sites (that try) to get FAR more browser /
system info than if it's disabled.
So, is it, "damned if I do, damned if I don't?"
More information about the tor-talk
mailing list