Delivery-Date: Wed, 03 Feb 2016 05:56:22 -0500
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED,T_DKIM_INVALID,T_RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 394C91E0482;
	Wed,  3 Feb 2016 05:56:20 -0500 (EST)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id BA83B3981D;
	Wed,  3 Feb 2016 10:56:14 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id EECCA39814
 for <tor-talk@lists.torproject.org>; Wed,  3 Feb 2016 10:56:10 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id MmJnqu3TZ1Gv for <tor-talk@lists.torproject.org>;
 Wed,  3 Feb 2016 10:56:10 +0000 (UTC)
Received: from mail-vk0-x230.google.com (mail-vk0-x230.google.com
 [IPv6:2607:f8b0:400c:c05::230])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id BED6F39812
 for <tor-talk@lists.torproject.org>; Wed,  3 Feb 2016 10:56:07 +0000 (UTC)
Received: by mail-vk0-x230.google.com with SMTP id n1so10880306vkb.3
 for <tor-talk@lists.torproject.org>; Wed, 03 Feb 2016 02:56:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:sender:in-reply-to:references:from:date:message-id
 :subject:to:content-type;
 bh=e/YsGusc+w9saqIDN+4l2i4oJ8dIA3HX/Zm5qmiLLcA=;
 b=CAmc5tI3yFqA6vOCfHrW5Loh5o9RDQqQBVWTc+eLL14uN9d4kAyowBSx3wyGADEiIB
 mFuuars5V+uby4s3QMIEgy6+XJ4HowRUqzBxCJBmJ1WJ+fcpvpkfBJ9B/97cr1/ulQO+
 iH8dhnnDlBowjn0V3kW9SZX2vWwlX/3XlQvTx/Dytzph0EHu2ZAlmcJGpaaX3Ko1RRxq
 tsVC9D/biC4Lkc2aBfzeBXqxQniTgi9JUItwPL2vB4WJpeCQJ3Q9BqH9Ph6/Kx/FvQps
 5JT7xtL3m/64QIVoi2aCgbih/gdRtGHZhp5Z3NPlVeNOGfLYHpRLsmr1cyGcyZvjSKAt
 ZfGw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
 :date:message-id:subject:to:content-type;
 bh=e/YsGusc+w9saqIDN+4l2i4oJ8dIA3HX/Zm5qmiLLcA=;
 b=H646cmtvDuebg41zUgGSkHueW9dolXaSg8Rl/hymPwKp44/MHSfesXFoKxig7GUfUD
 g2Lyf3oVBGX2w8P9mnUY6iiwDr93PvAHQbSLDVhuH1Z1//GPFs688rdmxikrNPszg2Pc
 AEChMvfRQdG8HxyudYXwRDFwLObJMxMLNW/J8RN+ExJX2U8eMS+BbLKqyiishb1xez7z
 ffVGrbJm8N6sQCUTt4/sQDTeZga/X6Z6Hu5bMJTZVcYmTOBZPVhMAkTBkQRkxLPjJmv6
 /Dgv3PwoDxLb5hNdjnNq3K+4eC6d8vjIxioezZJQBoSzHuaacYT3SbhGRSAROD3nNrVU
 IoaQ==
X-Gm-Message-State: AG10YOQPmfjOEnfHnGQK0JZtAw3N81mTyX/nOVFisYDH4YhKFTGTAHycaerIBO9MMMbPexb2RN40q4htjz+RZg==
X-Received: by 10.31.5.71 with SMTP id 68mr535120vkf.157.1454496965014; Wed,
 03 Feb 2016 02:56:05 -0800 (PST)
MIME-Version: 1.0
Received: by 10.31.11.208 with HTTP; Wed, 3 Feb 2016 02:55:45 -0800 (PST)
In-Reply-To: <592c8c82004c343e78dc2849f3a74f80.squirrel@bitmessage.ch>
References: <4a782f98882d597884c2287666c63cbc.squirrel@bitmessage.ch>
 <20160202151637.GN7734@moria.seul.org>
 <592c8c82004c343e78dc2849f3a74f80.squirrel@bitmessage.ch>
From: David Olofsson <david.m.o@telia.com>
Date: Wed, 3 Feb 2016 11:55:45 +0100
X-Google-Sender-Auth: FBYgCTEMFImrdc9RfZGBydiNhSY
Message-ID: <CAKKXmSOkbbVJzQvr+1aoO=Y4056HMGQ_s6rLCVOKrpVwmU5DNA@mail.gmail.com>
To: tor-talk@lists.torproject.org
X-Content-Filtered-By: Mailman/MimeDel 2.1.15
Subject: Re: [tor-talk] Recommended setting for NoScript's Javascript?
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

I have solved many problems with javascript based websites by disabling the
"apply these settings to whitelisted sites" and "cascade permissions to
whitelisted sub-sites". That has worked for me in all situations

On 3 February 2016 at 10:23, <
BM-2cTPSBeTK5RpF8A9ymciUDMaX61KzvzJu6@bitmessage.ch> wrote:

> I'm embarrassed I didn't notice the JavaScript explanation in the FAQ's.
> Also thank you for the info on the ARS Technica points.
>
> I have noticed in looking at a few more secure email services that they
> either have access without JavaScript enabled but don't have built in
> encryption, or the reverse, encryption provided but access only with Java
> Script enabled.  If you are aware of a service with both attributes it
> would be interesting to check it out.
>
> Thank you for your very clear explanation Roger, it was very helpful.
>
> > On Tue, Feb 02, 2016 at 05:44:00AM -0800,
> > BM-2cTPSBeTK5RpF8A9ymciUDMaX61KzvzJu6@bitmessage.ch wrote:
> >> I am sorry to ask such a basic question but I am confused by
> >> whether I should have the Tor browser set to;
> >> a. Temporary allow this page
> >> b. Revoke Temporary Permissions
> >> c. allow scripts globally
> >
> > It defaults to 'c', because otherwise many users would find websites
> > broken and not understand what's going on:
> > https://www.torproject.org/docs/faq#TBBJavaScriptEnabled
> >
> >> Today I perhaps made the error of changing the setting to revoke
> >> temporary
> >> permissions, but after I did this an encrypted email website I just
> >> began
> >> to use stated that it would not allow access because JavaScript needed
> >> to
> >> be
> >> enabled.
> >>
> >> After changing the setting to "Temporary allow this page" then I could
> >> again access email in one encrypted email service.  However now I can no
> >> longer access another encrypted email service (an impressive one)which
> >> has
> >> been working perfectly for me for weeks.
> >>
> >> So please inform me which setting I should be using.  (Or alternatively
> >> I
> >> could delete the Tor browser and just install it again to see the
> >> initial
> >> setting)
> >
> > It sounds like you've figured out how NoScript works. It is indeed a
> > bit safer to leave JS disabled globally, and enable it site-by-site when
> > you find that you need it. If you're comfortable doing it that way, go
> > for it -- it will be a bit safer than leaving everything enabled.
> >
> > I say "a bit safer" because, while reducing surface area for complex
> > things like JavaScript is good, there are many other parts of the browser
> > that are complex too. This is an area with quite some controversy over
> > the past years, since several attacks from the FBI have used JavaScript
> > vulnerabilities, and "they could have used other attacks" and "but they
> > *did* use this attack" are both valid points. (If you want to be one of
> > the users who disables JavaScript entirely, and then ends up even
> > angrier at Cloudflare, this is a legitimate choice too.)
> >
> >> Also, I thought it would be helpful to forward some important
> >> information
> >> I just encountered today.  Please read the ARS Technica article at the
> >> link below.  I found this by way of a Reddit thread.
> >> ...
> >>
> http://arstechnica.com/security/2016/02/default-settings-in-apache-may-decloak-tor-hidden-services/
> >
> > Yes, this is a known thing. It's one of the reasons Micah wrote
> > up the best practices list for onion service operators:
> >
> https://help.riseup.net/en/security/network-security/tor/onionservices-best-practices
> >
> > --Roger
> >
> > --
> > tor-talk mailing list - tor-talk@lists.torproject.org
> > To unsubscribe or change other settings go to
> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> >
>
>
>
> --
> tor-talk mailing list - tor-talk@lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

