Delivery-Date: Wed, 03 Feb 2016 04:24:59 -0500
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED,T_DKIM_INVALID,T_RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 7D6521E0188;
	Wed,  3 Feb 2016 04:24:57 -0500 (EST)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 6C2F9397E2;
	Wed,  3 Feb 2016 09:24:51 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 6828D397DB
 for <tor-talk@lists.torproject.org>; Wed,  3 Feb 2016 09:24:47 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 5grSMAej7WAM for <tor-talk@lists.torproject.org>;
 Wed,  3 Feb 2016 09:24:47 +0000 (UTC)
Received: from mail.bitmessage.ch (mail.bitmessage.ch [146.228.112.252])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client did not present a certificate)
 by eugeni.torproject.org (Postfix) with ESMTPS id EB2F6395E7
 for <tor-talk@lists.torproject.org>; Wed,  3 Feb 2016 09:24:46 +0000 (UTC)
dkim-signature: v=1; a=rsa-sha256; d=bitmessage.ch; s=mail;
 c=relaxed/relaxed; q=dns/txt;
 h=From:Subject:Date:Message-ID:To:MIME-Version:Content-Type:Content-Transfer-Encoding:In-Reply-To:References;
 bh=+c+yYzrGMpTMShuQEW/dg3eTpm4krX4/2FQOjv5TTuw=;
 b=rjsa/Jc1q1dfu0hOOq2WzTs8QB+JKSKIX0XmtN7/a5uSeuQSGFJ8z4QbxMEhVXkoUzssx7qe7j0zrRM1uClrMREb/TP+8aWyaJ6s31+HBMdJBnMaXHUUBPORz3N24MqXK5r9pIIS3Byz52SkcFkE98/C+0oMzWhp3vA8O4Sar1s=
Received: from bitmessage.ch (BITMESSAGE [127.0.0.1])
 by mail.bitmessage.ch with ESMTPA ; Wed, 3 Feb 2016 10:23:44 +0100
X-Squirrel-UserHash: BiRDVQY6I31yXWV+cTseIV0vSlddW1hgACQPP1NfOFRGQntAcikMDhEDFl1DWVZQagoG
X-Squirrel-FromHash: fQxaUgZXFhs=
Message-ID: <592c8c82004c343e78dc2849f3a74f80.squirrel@bitmessage.ch>
In-Reply-To: <20160202151637.GN7734@moria.seul.org>
References: <4a782f98882d597884c2287666c63cbc.squirrel@bitmessage.ch>
 <20160202151637.GN7734@moria.seul.org>
Date: Wed, 3 Feb 2016 01:23:44 -0800
From: BM-2cTPSBeTK5RpF8A9ymciUDMaX61KzvzJu6@bitmessage.ch
To: tor-talk@lists.torproject.org
User-Agent: SquirrelMail/1.4.22
MIME-Version: 1.0
X-Priority: 3 (Normal)
Importance: Normal
Subject: Re: [tor-talk] Recommended setting for NoScript's Javascript?
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

I'm embarrassed I didn't notice the JavaScript explanation in the FAQ's.
Also thank you for the info on the ARS Technica points.

I have noticed in looking at a few more secure email services that they
either have access without JavaScript enabled but don't have built in
encryption, or the reverse, encryption provided but access only with Java
Script enabled.  If you are aware of a service with both attributes it
would be interesting to check it out.

Thank you for your very clear explanation Roger, it was very helpful.

> On Tue, Feb 02, 2016 at 05:44:00AM -0800,
> BM-2cTPSBeTK5RpF8A9ymciUDMaX61KzvzJu6@bitmessage.ch wrote:
>> I am sorry to ask such a basic question but I am confused by
>> whether I should have the Tor browser set to;
>> a. Temporary allow this page
>> b. Revoke Temporary Permissions
>> c. allow scripts globally
>
> It defaults to 'c', because otherwise many users would find websites
> broken and not understand what's going on:
> https://www.torproject.org/docs/faq#TBBJavaScriptEnabled
>
>> Today I perhaps made the error of changing the setting to revoke
>> temporary
>> permissions, but after I did this an encrypted email website I just
>> began
>> to use stated that it would not allow access because JavaScript needed
>> to
>> be
>> enabled.
>>
>> After changing the setting to "Temporary allow this page" then I could
>> again access email in one encrypted email service.  However now I can no
>> longer access another encrypted email service (an impressive one)which
>> has
>> been working perfectly for me for weeks.
>>
>> So please inform me which setting I should be using.  (Or alternatively
>> I
>> could delete the Tor browser and just install it again to see the
>> initial
>> setting)
>
> It sounds like you've figured out how NoScript works. It is indeed a
> bit safer to leave JS disabled globally, and enable it site-by-site when
> you find that you need it. If you're comfortable doing it that way, go
> for it -- it will be a bit safer than leaving everything enabled.
>
> I say "a bit safer" because, while reducing surface area for complex
> things like JavaScript is good, there are many other parts of the browser
> that are complex too. This is an area with quite some controversy over
> the past years, since several attacks from the FBI have used JavaScript
> vulnerabilities, and "they could have used other attacks" and "but they
> *did* use this attack" are both valid points. (If you want to be one of
> the users who disables JavaScript entirely, and then ends up even
> angrier at Cloudflare, this is a legitimate choice too.)
>
>> Also, I thought it would be helpful to forward some important
>> information
>> I just encountered today.  Please read the ARS Technica article at the
>> link below.  I found this by way of a Reddit thread.
>> ...
>> http://arstechnica.com/security/2016/02/default-settings-in-apache-may-decloak-tor-hidden-services/
>
> Yes, this is a known thing. It's one of the reasons Micah wrote
> up the best practices list for onion service operators:
> https://help.riseup.net/en/security/network-security/tor/onionservices-best-practices
>
> --Roger
>
> --
> tor-talk mailing list - tor-talk@lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>



-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

