[tor-talk] User views on lesser of 2 evils_Tor FAQ on using java script

[Joe Btfsplk]

On 7/26/2014 10:13 PM, Moritz Bartl wrote:
> On 07/26/2014 09:26 PM, Joe Btfsplk wrote:
>> So, is it, "damned if I do, damned if I don't?"
> Basically, yes. A lot of users including me can cope with only
> selectively enabling Javascript, but I would strongly argue against
> making that the default. It is just too hard to understand for 'casual
> users' all the subtle ways disabled Javascript can break websites.
>
> I personally can live with 'losing some of my anonymity' due to the
> custom use of Javascript, but you must be well aware indeed.
>
My unprofessional reaction is, there's some discussion on this, but no 
scientific data / explanation why one way is the least worst.

Getting to that point may be difficult, but as is, seems Tor Project 
raises numerous questions but provides no real answers.

We have a product "to protect your anonymity."
"Oh, by the way... using JS may compromise it,
and not using it may compromise it (because it's enabled by default),
and using it intermittently may compromise it."

OK, that clears it up.  Even for fairly advanced users, that's not much 
help.
There seem to be very strict Tor / TBB design rules, down to the tiniest 
detail.

Then, the issue of java script is pretty much left wide open.
Many ignore it, like the elephant in the room.
Since a chain (or security / anonymity method) is only as strong as its 
weakest link, where does that leave TBB, considering the range of views 
& facts about java script?

Sometimes, seems this little detail (that might break the entire chain) 
is simply glossed over.  It's a tough subject, so we just won't dwell on it.
Obviously, Tor Project decided to leave it enabled.  But there's ongoing 
discussion about limiting exposure due to js.