![]() Last year, a problem with digital signatures caused Firefox and Tor to temporarily stop trusting lots of add-ons, including NoScript. That means that for everyone using Tor, JavaScript is either on or off with no ambiguous ‘ on sometimes’ halfway house. Users can’t do this in Tor because doing so might make things even less secure – the act of enabling JavaScript only on some websites could itself become an inadvertent cookie used to fingerprint users as they pop up around the web. ![]() Why not just use NoScript to whitelist JavaScript on trusted sites, as is the case when used with non-Tor browsers? Automatic updates of Noscript are enabled by default, so you should get this fix automatically. ![]() Noscript 11.0.17 should solve this issue. ![]() Tor release notes advise that the extension will normally update automatically: In short, the bug might in some circumstances allow JavaScript to continue to function even though this setting disallows that. The new upgrade alert is urgent for anyone using Tor in the ‘safest’ setting. On the other hand, many websites rely on JavaScript and disabling it can cause them to break, or at least work less well. There have been a small number of reports of this happening, for example in 2013, and again in 2016 when Mozilla issued a patch to fix a real-world JavaScript attack aimed at Tor by a government. Leaving JavaScript enabled opens users to the hypothetical risk that their anonymity might be compromised, for example using a vulnerability in the underlying Firefox browser. Tor’s ‘standard’ setting enabled JavaScript by default, which users can upgrade to either ‘safer’, which disables JavaScript on non-HTTPS sites, or ‘safest’, which disables JavaScript completely.Įach setting has its pros and cons. Whether the issue matters depends on how users have configured Tor to treat JavaScript. That was subsequently revised after the NoScript extension – used by Tor to control the execution of JavaScript, Java, Flash and other plugins – was updated to version 11.0.17. The Tor Project revealed the issue in the release notes for version 9.0.6, initially suggesting users manually disable JavaScript for the time being if the issue bothered them. The Tor browser has fixed a bug that could have allowed JavaScript to execute on websites even when users think they’ve disabled it for maximum anonymity.
0 Comments
Leave a Reply. |