Opened 7 years ago

Closed 7 years ago

#10774 closed defect (wontfix)

NoScript/Javascript Enabled by Default for past several versions of TorBrowser

Reported by: gilidula Owned by:
Priority: Medium Milestone:
Component: Applications/Torbutton Version: Tor:
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


Software: TorBrowser 3.5.1

The TorBrowser is enabling Javascript by default.

Javascript has PROVED to be the main attack vector from the variety of government attackers we have seen in the past year. Almost all attacks were to create a maliscious javascript on a compromised hidden service or website, in order to reveal the real IP address of the client. These attacks have been mostly successful, according to news reports.
Security Requirements
"The security requirements are primarily concerned with ensuring the safe use of Tor. Violations in these properties typically result in serious risk for the user in terms of immediate deanonymization and/or observability. With respect to browser support, security requirements are the minimum properties in order for Tor to support the use of a particular browser. "

We have recently had several real-world attacks on tor users using javascript, amoung them "Freedom Hosting." The attack vectors are very large. In that case, users running the latest version of the browser, or users with javascript disabled, were protected. Users that didn't upgrade in time had their IP Address revealed.

Recent disclosures have revealed that entities are able to insert code into network streams at any point, anywhere in the world, and redirect users to fake sites with malicious code. Of course exit nodes can do this as well, or hidden services.

At this point, the number one issue with Tor Anonymity, as demonstrated in these real-world scenarios, as verified and stated by the Tor project leader, and in the disclosures, is BROWSER COMPROMISE. That IS the cause of deanoymization. #1!

Since the main point of the Tor Browser above all else is to not reveal the IP Address of the user, in this "new threat model," it will be a requirement to reduce the attack space in the default settings.

Users have called and cried anc cried to no avail to the Tor project to disable Javascript for YEARS. And they have been proven correct, and still, in this latest version, Javascript is enabled globally by default.

This forces other distributors like TAILS to likewise enable it for fingerprinting reasons. Yet the reality is, a large number of tor users already have it disabled.

If there is a usability issue with NoScript, then that must be solved as the root problem here, but by default users should get an "as safe as possible" experience.

In terms of fingerprintability, Tor Browser is already not trying to mask that the user is using Tor when visiting a site--all plugins disabled, tor browser user agent, obfuscated API calls, not to mention coming from a Tor exit node. There fore, fingerprintability is a feature that should apply not to the pool of WWW users, but to the pool of Tor WWW users. Therefore, there is no arguement to enable or disable javascript from a fingerprint perspective, as all tor browsers can have it enabled, or disabled, by default. Disabling javascript could only help reduce fingerprintability across Tor users.

Given the attack space, having Javascript enabled by default creates a false sense of security for the users, and hence is a defect.

Child Tickets

Change History (1)

comment:1 Changed 7 years ago by gk

Resolution: wontfix
Status: newclosed
Note: See TracTickets for help on using tickets.