[tor-talk] Tor and JavaScript
David Teller
dteller at mozilla.com
Mon Dec 10 12:17:21 UTC 2018
Well, there are many ways to use JavaScript to deanonymize you.
For instance, JS can be used to measure the speed of specific operations
on your computer, which already gives some information on what kind of
computer you are using. Firefox contains some counter-measures against
this, TorBrowser contains even more, but nothing is 100% safe.
Depending on your processor, there are also known attacks that work
inside a process or across processes that can be triggered in JavaScript
and used to read some of your memory. Again, your OS has
counter-measures, Firefox has counter-measures, TorBrowser has
counter-measures, but nothing is 100% safe.
Finally, JS has access to a number of APIs that can accidentally be used
to identify you (e.g. there are ways to find out your list of fonts, and
list of fonts are typically different from a computer to the other one).
Usually, these holes are plugged in TorBrowser, but there may be holes
that have escaped the attention of devs.
I personally browse with JS activated, because I have very low safety
requirements (I use TorBrowser as a VPN, largely to increase deniability
by people who really need this), but YMMV.
Cheers,
David
On 10/12/2018 12:52, jiggytwiggy at danwin1210.me wrote:
> Are there any serious disadvantages to using JS with the TBB.
>
> As we know, disabling JS prevents some sites working at all while other
> sites has reduced functionality.
>
> Correct me if I am wrong, but I'm sure that server-side JS cannot get the
> user's real (non-Tor) IP address.
>
> If that's correct, what's the problem with using JS and the TBB?
>
More information about the tor-talk
mailing list