[tor-talk] TBB "Security Level" Question.

Mike mikely at riseup.net
Mon Feb 10 21:43:18 UTC 2020


[Disclaimer: a non expert view on the subject]

JavaScript is a way for sites to fingerprint you much more accurately.
Once fingerprinted, it doesn't really matter from what IP address you
are connecting. Your activity on the web can be correlated even if you
browse from different IP addresses each time.

So there is a good reason to keep JS, WASM and anything that downloads
and executes remote code on your computer off by default. That is
indeed the highest security level for a reason. Of course having JS off
is itself a dimension which can be used as part of a fingerprint but it
is far less significant than the multiple dimensions a JS=on setting
would give you.

*Not to forget that JS in combination with non-mitigated CPU
vulnerabilities can be a much bigger security whole (e.g. a script
reading the contents of your RAM as demonstrated by Google Project
Zero).


More information about the tor-talk mailing list