Why it is not advisable to use JavaScript with Tor? Yet with JavaScript, you cannot get the IP address of the user except through an external website. How could using JavaScript with Tor expose one's identity?
-
2Using Javascript functionality as intended is not the only danger. Javascript also provides an increased attack surface for security exploits. This is a very real risk, as CVE-2013-1690 showed the world a couple of years back. – nitro2k01 Jul 27 '15 at 13:06
3 Answers
I do not know where you got that information but wherever you got it, the official documentation is more reliable:
We configure NoScript to allow JavaScript by default in Tor Browser because many websites will not work with JavaScript disabled.
If you disable JavaScript by default but then allow a few websites to run scripts (the way most people use NoScript), then your choice of whitelisted websites acts as a sort of cookie that makes you recognizable (and distinguishable), thus harming your anonymity.
But unlike Firefox and Chrome, Tor browser have not implemented WebRTC that allows requests to STUN servers be made that will return the local and public IP addresses for the user.
-
5See the very related question : Why is my internal IP address (private) visible from the Internet : http://security.stackexchange.com/questions/94783/why-is-my-internal-ip-address-private-visible-from-the-internet – Jiby Jul 27 '15 at 15:06
-
@Jiby that question is not about Tor browser and this one is not interested in getting specifically the IP address. I just wrote that information additionally otherwise the answer to this question ends where the quotation ends. – Jul 28 '15 at 07:18
There are a number of known vulnerabilities, that have been used, to deanonymize Tor users via leveraging JavaScript.
The first major incident where this happened was with the "Freedom Hosting" seizure by the FBI. The FBI kept servers online, and then installed javascript paylods which exploited a zero-day exploit in Firefox. This caused the computers to call back to an FBI server from their real, non-anonymized IP, leading to the deanonymization of various users. You can read more about it in Ars Technica.
In general, enabling JavaScript opens the surface area for many more potential attacks against a web browser. In the case of a serious adversary like a state-backed entity (e.g. the FBI), they have access to zero-day exploits. If the vectors for these zero-days are disabled (e.g. JavaScript), then they may be hard pressed to find a viable exploit even if they have access to zero days etc.
The only reason the Tor project allows JavaScript to be on by default in the Tor browser is usability. Many Tor users are not technically savvy, and JavaScript is commonly used with HTML5 in modern web sites. Disabling JavaScript causes many web sites to be unusable, thus it is enabled by default.
As a best practice, one should disable JavaScript in the Tor browser and keep NoScript enabled for all sites, unless you have an extremely compelling reason not to.
- 4,282
- 15
- 19
I believe this is to stop "browser fingerprinting". Javascript can get a lot of information, like the order that fonts are installed on a computer, the size of the screen, etc; - there is a good example at https://panopticlick.eff.org/ .
If you go to another site bypassing TOR, on the same computer, then the two sites may be able to compare notes, and realize you are probably the same person.
Panopticlick says that 85% of visitors are uniquely identifiable, by it's method. Another site, https://valve.github.io/fingerprintjs/ , appears to dig deeper - installed plugins, giving it "94% accuracy".
Ironically, since only a small proportion of users do things like blocking cookies, etc, doing so will actually INCREASE your uniqueness, and make you easier to identify with these techniques.
- 1,501
- 9
- 9