Delivery-Date: Sat, 26 Jul 2014 15:26:45 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.3 required=5.0 tests=BAYES_00,FREEMAIL_FROM,
	FROM_LOCAL_NOVOWEL,RCVD_IN_DNSWL_MED,RP_MATCHES_RCVD autolearn=ham
	version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 5113D1E0A44
	for <archiver@seul.org>; Sat, 26 Jul 2014 15:26:44 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id D39852E6AD;
	Sat, 26 Jul 2014 19:26:43 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id AE2DB2E412
 for <tor-talk@lists.torproject.org>; Sat, 26 Jul 2014 19:26:27 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at eugeni.torproject.org
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id bOF4EV1MvA4b for <tor-talk@lists.torproject.org>;
 Sat, 26 Jul 2014 19:26:27 +0000 (UTC)
Received: from mout.gmx.com (mout.gmx.com [74.208.4.200])
 (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by eugeni.torproject.org (Postfix) with ESMTPS id 8A1CB2D12D
 for <tor-talk@lists.torproject.org>; Sat, 26 Jul 2014 19:26:27 +0000 (UTC)
Received: from [127.0.0.1] ([99.190.181.188]) by mail.gmx.com (mrgmxus002)
 with ESMTPSA (Nemesis) id 0MVuyU-1X0Fcu2maG-00X6gx for
 <tor-talk@lists.torproject.org>; Sat, 26 Jul 2014 21:26:24 +0200
Message-ID: <53D400DA.6070203@gmx.com>
Date: Sat, 26 Jul 2014 14:26:18 -0500
From: Joe Btfsplk <joebtfsplk@gmx.com>
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64;
 rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: tor-talk@lists.torproject.org
X-Provags-ID: V03:K0:r2A8+M8/PCoRyXcdpsKbYbUHLRAp1+m985+pGFiqZAbglMX0jbl
 1s4XJzZUygrWKGDm1dlxJuwtjHXwSJHBhh/NhI4HIpJteCASK6FGP3ykSrXDmHQOsHCHRpC
 NMtpqsRioyyAABA1hmijHa93Xrydnu7OEgTWAx9uMtTlEyam9vvbIePJthwIjYgMQq1pOo2
 IpAWJIfqqiZmrRxhRSNAg==
X-Content-Filtered-By: Mailman/MimeDel 2.1.15
Subject: [tor-talk] User views on lesser of 2 evils_Tor FAQ on using java
	script
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

How do some more advanced Tor users feel about pros & cons of leaving 
java script constantly enabled or selectively enabling it?
The overall java script issue & advice given at different times in 
different places can get confusing.
 From https://www.torproject.org/docs/faq#TBBJavaScriptEnabled:

"There's a tradeoff here. On the one hand, we should *leave JavaScript 
enabled* by default so websites work the way users expect. On the other 
hand, we should *disable JavaScript* by default to better protect 
against browser vulnerabilities ( not just a theoretical concern!). But 
there's a *third issue*: websites can easily determine whether you have 
allowed JavaScript for them, and if you disable JavaScript by default 
but then allow a few websites to run scripts (the way most people use 
NoScript), then your choice of whitelisted websites acts as a sort of 
cookie that makes you recognizable (and distinguishable), thus harming 
your anonymity. "

Unless you're seriously hard core in how you use TBB (visit only sites 
KNOWN not to use JS), you're effectively forced into either
* disabling js completely & not being able to use / see a lot of the net 
(even hard core news sites, etc.) - that's bad.
* selectively enabling js - which the FAQ says is also bad.
* leaving js on 100%.  Which is also said to be bad.

Yes, I understand what happens with & w/o JS, as to sites detecting info 
(if interested).  The issue is being "...between a rock & a hard place."
Seems we must make a choice:  Whether more concerned about "some" sites 
detecting JS is DISabled, while others detect it's ENabled (& 
presumably, these sites are jointly owned, or all share info or 3rd 
party trackers are advanced enough to ID even a "stock" Torbrowser, from 
one site to another).

If one or more of the latter 3 scenarios isn't true (or something 
similar), then one site detecting JS is off & another detecting it's on, 
isn't an issue.

Seems the advice given in different areas may conflict.  There are a 
good many advanced users not in favor of having JS enabled by default in 
TBB.
Unless they *only* visit JS free sites, they're forced to selectively 
enable it, unless don't care about broken sites.

But, enabling JS allows sites (that try) to get FAR more browser / 
system info than if it's disabled.
So, is it, "damned if I do, damned if I don't?"
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

