[tor-talk] Recommended setting for NoScript's Javascript?

Roger Dingledine arma at mit.edu
Tue Feb 2 15:16:37 UTC 2016


On Tue, Feb 02, 2016 at 05:44:00AM -0800, BM-2cTPSBeTK5RpF8A9ymciUDMaX61KzvzJu6 at bitmessage.ch wrote:
> I am sorry to ask such a basic question but I am confused by
> whether I should have the Tor browser set to;
> a. Temporary allow this page
> b. Revoke Temporary Permissions
> c. allow scripts globally

It defaults to 'c', because otherwise many users would find websites
broken and not understand what's going on:
https://www.torproject.org/docs/faq#TBBJavaScriptEnabled

> Today I perhaps made the error of changing the setting to revoke temporary
> permissions, but after I did this an encrypted email website I just began
> to use stated that it would not allow access because JavaScript needed to
> be
> enabled.
> 
> After changing the setting to "Temporary allow this page" then I could
> again access email in one encrypted email service.  However now I can no
> longer access another encrypted email service (an impressive one)which has
> been working perfectly for me for weeks.
> 
> So please inform me which setting I should be using.  (Or alternatively I
> could delete the Tor browser and just install it again to see the initial
> setting)

It sounds like you've figured out how NoScript works. It is indeed a
bit safer to leave JS disabled globally, and enable it site-by-site when
you find that you need it. If you're comfortable doing it that way, go
for it -- it will be a bit safer than leaving everything enabled.

I say "a bit safer" because, while reducing surface area for complex
things like JavaScript is good, there are many other parts of the browser
that are complex too. This is an area with quite some controversy over
the past years, since several attacks from the FBI have used JavaScript
vulnerabilities, and "they could have used other attacks" and "but they
*did* use this attack" are both valid points. (If you want to be one of
the users who disables JavaScript entirely, and then ends up even
angrier at Cloudflare, this is a legitimate choice too.)

> Also, I thought it would be helpful to forward some important information
> I just encountered today.  Please read the ARS Technica article at the
> link below.  I found this by way of a Reddit thread.
> ...
> http://arstechnica.com/security/2016/02/default-settings-in-apache-may-decloak-tor-hidden-services/

Yes, this is a known thing. It's one of the reasons Micah wrote
up the best practices list for onion service operators:
https://help.riseup.net/en/security/network-security/tor/onionservices-best-practices

--Roger



More information about the tor-talk mailing list