Question about javascript exploits which can unmask ips of tor users

During sr they slipped code in all of the freedom hostings sites and then executed an exploit of the tor browser bundle itself for the javascript exploit which unmasked all tor users on any freedom hosting site.

My question is about how that works. Can I infer from this that I never have to actually worry about javascript exploits unless le has found an exploit in the entire tor browser bundle? Am I misundersanding how this thing worked? Could having javascript enabled allow for some code which could unmask me if they havent found a new exploit in the tor browser bundle?


Comments


[5 Points] sickness29a:

Yes, if you allow javascript you're doomed, LE can manage to either add a script to the website in case of a seizure but also can inject raw js if they can decrypt the packets and as of now it seems that they CAN decrypt tor traffic : see https://gizmodo.com/the-nsa-can-probably-break-tors-encryption-keys-1273299782, disabling JS is not bullet proof but not doing so is really not a good idea ... no way to have both, it would be a great idea to have ACL or something along the line of the "function_disabled=" property of php.ini for javascript in order to disable certain call that could lead to a leak of real IP (but it's just the dev inside me talking right now)


[2 Points] InsanityDRM:

Yes, they use what is known as a STUN request. https://github.com/diafygi/webrtc-ips


[2 Points] dotosi:

Type about:config in the Tor Browser address bar and press Enter. Leave the checkmarked box and click on "I accept the risk". In the search bar at the top type javascript.enabled and press enter. In the search list look for javascript.enabled and double click on it. The value in the column Value will change from true to false. Which means you either enabled or disabled javascript. After doing this you can close the window. This should disable javascript entirely in TorBrowser. I use this in combination with NoScript. If you ever wish to be able to use javascript on a website you'll need to repeat the about:config instructions but change the value from false to true and also of course configure NoScript to allow it.

This is one of the default tweaks I do after a new TorBrowser install. I understand NoScript and other extensions fulfill similar and additional tasks but these also become attack surfaces. If there's a vulnerability that would allow bypassing NoScript or some other way compromise it you could still be vulnerable. This is obviously a small piece in the larger puzzle that is 'staying anonymous'.


[1 Points] bitcoinmanagement:

Block all scripts


[1 Points] The_OPs_Mommy:

My question is about how that works.

The exact exploit used - known in the business as a NIT ("Network Investigative Technique") - is not publicly known at present.

Can I infer from this that I never have to actually worry about javascript exploits unless le has found an exploit in the entire tor browser bundle?

I certainly wouldn't infer that.

Am I misundersanding how this thing worked? Could having javascript enabled allow for some code which could unmask me if they havent found a new exploit in the tor browser?

Yes.


As a starting point => the basis for a real NIT utilized by the FBI to deanonymize targets on Tor back in 2012.

This was revealed through the discovery process in court. The code, while used in the 2012 NIT, was several years older and utilized a combination of JavaScript and ActionScript (Flash XMLSocket() iirc).


[1 Points] EternalTurmoil:

The crucial thing here is that most of the exploits reported so far targeted versions of the TOR browser that weren't updated, attacking the older versions of Firefox they used.

Since the browser automatically updates now it'll be harder to target TOR users, but more dangerous, since when an exploit for the current Firefox release is found it can be used against all TOR users.