[tor-talk] Tor and JavaScript
David Teller
2018-12-10 12:17:21 UTC
Well, there are many ways to use JavaScript to deanonymize you.

For instance, JS can be used to measure the speed of specific operations
on your computer, which already gives some information on what kind of
computer you are using. Firefox contains some counter-measures against
this, TorBrowser contains even more, but nothing is 100% safe.

Depending on your processor, there are also known attacks that work
inside a process or across processes that can be triggered in JavaScript
and used to read some of your memory. Again, your OS has
counter-measures, Firefox has counter-measures, TorBrowser has
counter-measures, but nothing is 100% safe.

Finally, JS has access to a number of APIs that can accidentally be used
to identify you (e.g. there are ways to find out your list of fonts, and
list of fonts are typically different from a computer to the other one).
Usually, these holes are plugged in TorBrowser, but there may be holes
that have escaped the attention of devs.

I personally browse with JS activated, because I have very low safety
requirements (I use TorBrowser as a VPN, largely to increase deniability
by people who really need this), but YMMV.

Are there any serious disadvantages to using JS with the TBB.
As we know, disabling JS prevents some sites working at all while other
sites has reduced functionality.
Correct me if I am wrong, but I'm sure that server-side JS cannot get the
user's real (non-Tor) IP address.
If that's correct, what's the problem with using JS and the TBB?
tor-talk mailing list - tor-***@lists.torproject.org
To unsubscribe or change other settings go to
2018-12-10 15:06:12 UTC
1. not serious?
JS leaks my OS name, architecture name, clock setting, fonts, and
more... These are not my IP address even though I don't welcome JS.

2. serious!
If malicious attackers/softwares can get my IP address but can't send it
to their server directly, they may replace my OS name to my IP address
for example, or they may encrypt my IP address and put it in information
what JS can send to the server. Tor can't stop that.

JS can send information what users don't want to send while they don't
know. :(
TBB is a good product. But I doubt TBB (NoScript) enabling JS for some
sites as default.
tor-talk mailing list - tor-***@lists.torproject.org
To unsubscribe or change other settings go to