Security and Javascript

Hello,

I’m trying to understand Javascript as an attack surface and best practices to mitigate it’s concerns when using Tor. I understand that using the security level of “safest” is the best option when it comes to OPSEC for connecting to untrusted sites or for those with high threat models. Unfortunately (as many know) using this setting also breaks alot of websites when clearnet browsing or when attempting to sign up for email and account services.

The Tor literature states that javascript settings can be altered in two different ways:

  1. Lowering the security level in settings.
  2. Making changes in noscript.

It does not state a preferred method, only that the “easiest” is by changing security levels. My question is, is there a preferred method to allow for javascript (to prevent site breakage), but also maintain the best privacy, security, and anonymity as you can when allowing javascript. The context of this question is mainly pertaining to clearnet browsing and for use of things such as email and account services on .com/.onions (of trusted sites).

I have seen that some change noscript settings by utilizing temporary whitelisting of domains, my understanding is that temporarily whitelisting domains helps reduce fingerprint considerations as compared to if one was to permanently whitelist domains (I assume this is because certain site scripts can see which domains you are blocking and allowing)? I have also seen some who after utilizing the “safest” security level go in and manually change the Javascript setting in about:config, as it seems that Javascript shows “enabled” in about:config even though it’s not (due to “safest” security level), is this a step that is actually necessary? Tor does not mention this in their literature.

Or does it not really matter and what’s more important is knowing when you should and should not use javascript depending on your threat model?

Thanks

1 Like

The Security Level is the preferred user-friendly method to configure your security and anonymity, and out of the three options, two are relevant to your question:

  • Standard
  • Safer

Standard has all browser and website features enabled for maximum compatibility, while Safer changes these settings:

  • JavaScript is disabled on non-HTTPS sites.
  • Some fonts and math symbols are disabled.
  • Audio and video (HTML5 media), and WebGL are click-to-play.

Focusing on only the first point out of these three, this makes your question easy to answer:

  • On websites that serve mixed content, use Standard.
  • On websites that only use HTTPS/HSTS, use Safer.

No, (temporarily) whitelisting domains only means one thing: trusting its code.

It is not. Additionally, editing about:config can lead to deanonymization.

Absolutely correct.

Thanks for your response,

by “mixed content” are you referring to domains/subdomains that are http and https? As in I would need standard for these due to the http aspect (since “safer” would break the site)?

Thanks again.

1 Like

Correct. To be as clear as possible, my definition of websites that serve mixed content refers to JavaScript being used in both HTTPS and non-HTTPS sources. If you use Safer instead, the JavaScript will be disabled from non-HTTPS sources, regardless if it is first or third-party.

TB uses HTTPS-Only mode (HoM) which means secure sites upgrade all resources and sub-resources to secure and fail silently - that’s what the “only” part means

To get to an insecure site, you need to allow an exception via the interstitial (page that says, blocked, allow exception etc)

1 Like

@FranklyFlawless

On reddit members have mentioned how javascript can be used against a user https://www.reddit.com/r/TOR/comments/om5aiv/what_exactly_is_the_risk_of_running_javascript/

Now the question is that if tor or tor in tails is used and the safest setting in tor is selected, which means no javascript for all websites, then most of the websites dont work. Some wouldnt show anything, some wouldn’t let you register, some wouldn’t let you upload or attach a file and so on. To make them work atleast the safer setting would need to be selected which means allowing javascripts for all https and .onion websites. As javascript is enabled so what countermeasures does tor or tails has against tracking of a user by the website? Is one at the mercy of the websites that they wouldn’t track a user using javascripts? What kind of tracking/fingerprinting can they exactly do if the user is using tor in tails? On stack exchange in some threads people have mentioned that using javascripts a website can know about a user’s real ip. Has anyone written in detail how that is possible and how to prevent this?

This is too broad a question to answer - I also do not work on tor (little t) nor tails. I work with (not for) the apps team on Tor Browser where we mitigate state tracking, navigational tracking (if we can), and stateless tracking - as well as limit disk leaks. This is all well documented - see FPI (First Party Isolation), RFP (privacy.resistFingerprinting).

1 Like

got it.for traffic level analysis, are there any countermeasures?

This is a very broad question, and does not fit the topic which is about JS (web sites). If you want to read up on little-t tor, there are a plethora of documents for you to get started

1 Like

Could you please perhaps recommend some doctuments to look for? Since its such a broad spectrum there are many elements and lots of the documents found through search engines are now outdated. Thanks!

this is the design doc: The Design and Implementation of the Tor Browser [DRAFT]

Do not be fooled by the 2019 in the URL. Do not be fooled by the June 15 2018 revision date (just under the author’s at the top)

It’s much older (AFAIK), and it’s horribly out of date

But the gist/goals of it are essentially the same. Here - Tor Browser Design Doc · Wiki · The Tor Project / Applications / Team · GitLab - is the same doc, but converted to markdown and the tor apps team is going to update it

1 Like

Thank you thorin.

After reading this I would like to ask an opinion question based off your position of understanding.

Question: Do you think KAX17 and the recent network wide DDoS attacks have any relation or are they simply two things that happened to the same network?

I know its off topic but why throw away the chance of asking someone who actually knows :wink:

Sorry, can’t help you there. I do not work with little-t tor - I am not into networking - I work on the app, mainly in fingerprinting mitigations - 99.9% research + testing and 0.1% inspiration/success

1 Like

Ah sorry my mistake.

When you say the app do you mean tor for android? If so it would be interesting to hear what changes you think will be made during 2024?

The most recent thing I saw was connection assist upgrades but again I’m aware that isn’t your area.

Thanks for getting back to me!

I live here - Issues · The Tor Project / Applications / Tor Browser · GitLab - here … app = applications … so the browser itself, all platforms