Silk Road forums

Discussion => Security => Topic started by: Jack N Hoff on May 01, 2013, 10:34 am

Title: Javascript & TOR
Post by: Jack N Hoff on May 01, 2013, 10:34 am
I want to know more about leaking your real IP by having javascript running.  When can this happen?  For example, you need javascript enabled to click on a smiley on this forum, that is safe correct?  What about reddit?  You need javascript enabled to upvote, downvote and post.  Is that safe?  What about email providers like gmail?  The way I've always thought about it is that widely used and known websites should be safe and your IP should not leak by having javascript enabled.  Is this correct or am I wrong?

I would really like to know more about this.
Title: Re: Javascript & TOR
Post by: awhiteknight on May 01, 2013, 10:54 am
I can't think of an easy way to expose your details via JavaScript, but that doesn't mean that there isn't one. The main problem is one of surface area, there are a million things you can do with JavaScript and you can do them in a trillion different ways, so if there are a lot of different things that an attacker might try.


Once someone finds one, it would probably be fixed in the next version of your web browser, but that won't protect you today. Basically unless you're running Tails behind Whonix or some other non-persistent OS behind a Tor router you should have JS disabled because its potential for new exploits is so great.
Title: Re: Javascript & TOR
Post by: sourman on May 01, 2013, 11:05 am
Torbutton and noscript are supposed to filter out or break javascript operations that can otherwise reveal your identity. If you're using it for casual anonymous browsing (nothing explicitly illegal), then I'd leave it enabled. The risk is minimal and you need the functionality for any modern website to be useable.

Now if you're going to browse the darknet and conduct business of any kind, not only would I disable javascript in noscript entirely, but also delete (wipe) the torbrowser folder and re-extract it every few days or if there's an update. That's assuming you're using it within your personal OS and not something like TAILS where there is no permanent storage. I just don't see a reason to keep it enabled or let the folder sit there and accumulate all sorts of forensic artifacts. SR and the forums work just fine without javascript, so why risk using it?

EDIT: Damn, awhiteknight pretty much beat me to it. lol
Title: Re: Javascript & TOR
Post by: Jack N Hoff on May 01, 2013, 11:22 am
Thank you.  As for the forums, it was just an example. :)
Title: Re: Javascript & TOR
Post by: sourman on May 01, 2013, 11:45 am
Np, and yeah I figured you knew the forums would work without JS. It would be nice if those features worked without it, but oh well :)
Title: Re: Javascript & TOR
Post by: lukeuser on May 01, 2013, 12:19 pm
In terms of security, I'm probably in the gutter, I use my normal browser with a proxy switch  :-[

I might be paranoid, but not enough to overcome my laziness.
Title: Re: Javascript & TOR
Post by: Jack N Hoff on May 01, 2013, 12:22 pm
In terms of security, I'm probably in the gutter, I use my normal browser with a proxy switch  :-[

I might be paranoid, but not enough to overcome my laziness.

At least you aren't one of the goofs using onion.to
Title: Re: Javascript & TOR
Post by: lukeuser on May 01, 2013, 02:23 pm
In terms of security, I'm probably in the gutter, I use my normal browser with a proxy switch  :-[

I might be paranoid, but not enough to overcome my laziness.

At least you aren't one of the goofs using onion.to

thanks :D