[tor-talk] User views on lesser of 2 evils_Tor FAQ on using java script

[Joe Btfsplk]

On 7/27/2014 2:08 AM, grarpamp wrote:
> On Sat, Jul 26, 2014 at 3:26 PM, Joe Btfsplk <joebtfsplk at gmx.com> wrote:
>> How do some more advanced Tor users feel about pros & cons of leaving java
>> script constantly enabled or selectively enabling it?
> The risk of any potential leak of real IP or actual user data
> (not just meta browser environment data) is overriding consideration.
> Much more than any js on/off matrix leak to some observing
> exit or multi-hosting webserver (which are fringe cases to begin with).
How do we know for a fact that observing exits (even several or many, 
operated by one entity) or multiple sites operated by one entity are 
"fringe cases?"
They may not be the gov't or NSA / GHCQ, but plenty of large, 3rd party 
trackers monitor 1000's of sites.

And if they have certain information, then for sure it's available to 
gov'ts (if only by theft) & possibly to others, especially at the right 
price.
This type thing is no longer conspiracy theory.
> Sandbox your apps, keep your user data minimal and compartmented,
> manage your stored profiles/dotdirs and sessions. Do that and all this
> talk of javascript, java, flash, dom, cookies, canvas, etc... generally
> approaches moot. This doesn't mean they should be ignored, but
> that in the big picture, there are bigger concepts to grasp first.
Assuming that all works & doesn't have as many pitfalls as java script 
itself, the overall methods are likely beyond most users.
Beyond their ability & available time.  Beyond their ability to do all 
of what you mention and not make a mistake.

Unless Tor Project just sadly accepts that most users can't accurately 
carry out such practices (so don't bring it up at all), they don't seem 
to think it's important.

Unless there were very detailed, step-by-step instructions for how to do 
things you mention (possibly many more), not many could carry them out & 
*never* make a mistake.