David Teller
2018-12-10 12:17:21 UTC
Well, there are many ways to use JavaScript to deanonymize you.
For instance, JS can be used to measure the speed of specific operations
on your computer, which already gives some information on what kind of
computer you are using. Firefox contains some counter-measures against
this, TorBrowser contains even more, but nothing is 100% safe.
Depending on your processor, there are also known attacks that work
inside a process or across processes that can be triggered in JavaScript
and used to read some of your memory. Again, your OS has
counter-measures, Firefox has counter-measures, TorBrowser has
counter-measures, but nothing is 100% safe.
Finally, JS has access to a number of APIs that can accidentally be used
to identify you (e.g. there are ways to find out your list of fonts, and
list of fonts are typically different from a computer to the other one).
Usually, these holes are plugged in TorBrowser, but there may be holes
that have escaped the attention of devs.
I personally browse with JS activated, because I have very low safety
requirements (I use TorBrowser as a VPN, largely to increase deniability
by people who really need this), but YMMV.
Cheers,
David
For instance, JS can be used to measure the speed of specific operations
on your computer, which already gives some information on what kind of
computer you are using. Firefox contains some counter-measures against
this, TorBrowser contains even more, but nothing is 100% safe.
Depending on your processor, there are also known attacks that work
inside a process or across processes that can be triggered in JavaScript
and used to read some of your memory. Again, your OS has
counter-measures, Firefox has counter-measures, TorBrowser has
counter-measures, but nothing is 100% safe.
Finally, JS has access to a number of APIs that can accidentally be used
to identify you (e.g. there are ways to find out your list of fonts, and
list of fonts are typically different from a computer to the other one).
Usually, these holes are plugged in TorBrowser, but there may be holes
that have escaped the attention of devs.
I personally browse with JS activated, because I have very low safety
requirements (I use TorBrowser as a VPN, largely to increase deniability
by people who really need this), but YMMV.
Cheers,
David
Are there any serious disadvantages to using JS with the TBB.
As we know, disabling JS prevents some sites working at all while other
sites has reduced functionality.
Correct me if I am wrong, but I'm sure that server-side JS cannot get the
user's real (non-Tor) IP address.
If that's correct, what's the problem with using JS and the TBB?
As we know, disabling JS prevents some sites working at all while other
sites has reduced functionality.
Correct me if I am wrong, but I'm sure that server-side JS cannot get the
user's real (non-Tor) IP address.
If that's correct, what's the problem with using JS and the TBB?
--
tor-talk mailing list - tor-***@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-ta
tor-talk mailing list - tor-***@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-ta