[ art / civ / cult / cyb / diy / drg / feels / layer / lit / λ / q / r / sci / sec / tech / w / zzz ] archive provided by lainchan.jp

lainchan archive - /sec/ - 3543

File: 1484246520070.png (1.57 KB, 64x64, LibreJS_icon.png)


The folks on the Tor website recommend against running add-ons other than the defaults as that could be used to track you. However, recently I've been using LibreJS more and more with the TBB, even though I don't know a lick of coding. How do you Lains feel about whitelisting or running nonfree JS in your browser? I only whitelist a few sites that I need.


I don't enable any JS at all when using Tor, as (afaik) all recent browser exploits relied on JS in some way, and I want none of that soykaf.
If I do have to run JS (for example some lectures have online systems that I have to use), I'll do it in a different browser.

As for whitelisting only libre JS, the libre nature of the code doesn't offer any security benefits, as there's no guarantee anyone actually reviewed it, and it might make you easier to fingerprint. I'd personally advise against it.


File: 1484252689350-0.png (143.56 KB, 200x110, f1.png)

File: 1484252689350-1.png (143.25 KB, 200x110, f2.png)

I use uMatrix https://github.com/gorhill/uMatrix which allows me to filter content in a point & click fashion. For example, in the first screenshot attached I'm allowing all first party content on the domain lainchan.org, and this setting is saved (see the lock button). In the second, for all sites sites that I don't have settings for, I only allow CSS and images.

From my understanding, the main reason the Tor project recommends against installing additional addons is because you can't be assured that the addon is being routed through Tor if it makes requests (such as to update). This isn't incredibly important for me, so I install addons anyway. Set xpinstall.signatures.required to false in about:config to do so.

You can do a lot of things with uMatrix, so check it out. The screenshots are only a simple demonstration.


>From my understanding, the main reason the Tor project recommends against installing additional addons is because you can't be assured that the addon is being routed through Tor if it makes requests (such as to update).
I don't believe that's the case as these requests are made through firefox's plugin API, which will use proxies if set.
Addons do increase your attack surface and some (like uMatrix) make it easier to fingerprint you, which is why Tor advises against using them.


And there's also the possibility of the addon itself being malicious (like Ghostery or Web of Trust).


How does uMatrix make it easier to fingerprint someone?


>How does uMatrix make it easier to fingerprint someone?
You can fingerprint users through the sets of content they retrieve when loading a page. With a smartly chosen test set, you could at least discern between AdBlock users, uMatrix users and people without blockers.


I'd also advise against LibreJS. Bypassing it is as simple as tossing the GPL or MIT license at the top of an exploit. It simply doesn't offer much of a security upgrade, but more of a philosophical one.


Off topic but what is lainchan's opinion of using Tor with a VPN? Is it a good idea at all, and if it is is it better to do Tor>VPN or VPN>Tor. How would that work with openVPN on Linux? Any guides/articles are welcome.


It is a good idea, but there are different advantages depending on which way you do it. Tor>VPN protects you from compromised Tor exit nodes. VPN>Tor prevents your ISP from seeing that you use Tor -- I usually do this, as your ISP knowing you use Tor could get you put on a watchlist or provide evidence that you used Tor if accused of some cyber crime.

In Linux just activate your VPN as normal then use the Tor browser for VPN>Tor. I'm not sure about the other way around


File: 1487118335306.png (354.44 KB, 200x200, 1464896094380.jpg)

Thank's for the info lainon.


the way this is one is cruder than you think. For instance, many websites have scripts that detect adblockers, but you can block those scripts as well. The extra bandwidth and CPU power necessary for checking that every CDN is loaded as expected for a particular browser, without any client-side JS, is basically as large as delivering the page in full 2 or 3 times, and would(at least, IMO) not be worth the performance gains. Only a malicious attacker would do that; there are much more efficient fingerprinting methods out there for use by businesses.

But yeah, never install any addons to the tor browser if you're doing anything even remotely sketchy, as there are malicious attackers out there and standing out at all is a major liability.


What about pluggable transports and bridges? Aren't they sufficient to hide Tor traffic from your ISP?


not necessarily, the list of entry nodes is public.


Bridges and Pluggable Transports are different than entry nodes. In fact, all nodes that are not bridges are publicly listed by default.