is allow java script on tor make you traceable?

I'm trying to be complete anonymous in some reddit kind of community in my country.

no need to sign in to write a post or leave a comment but I have to allow js to do those things.

is it danger if I allow it?


Comments


[3 Points] None:

Reddit is generally considered to be a safe place to allow Javascript so you can post over Tor. If Reddit was doing something weird with Javascript, people would be able to tell and someone would raise a ruckus over it.

However, it is impossible to be 100% safe over Tor if you are using Javascript.


[1 Points] lovelylittlegangster:

Yeah, reddit fucking sucks for use over tor as they require js to be enabled for basic functions. Tails and windows are both potentially vulnerable.

Your best bet is to run Qubes/Whonix as your reddit posting platform, as that setup is sandboxed and doesn't know your IP. That makes deanonymisation through a js exploit much more difficult.


[1 Points] sapiophile:

Yes, JavaScript is a serious risk for those who require strong anonymity, especially if it is not delivered over HTTPS. Every known end-user de-anonymization of Tor users has (probably - we still don't know the details on the PlayPen bust) been done with JavaScript.

Set the Security Slider in Tor Browser to "High" and keep it there.


[1 Points] Kazaa99:

Usually it is no danger not. Only with flaw TOR browser in, a problem it can be...

Run whole internet connection through TOR, and not just the browser, and it should be a little safer.


[0 Points] FrozenMCVegetableCok:

Think of Javascript as adding another vector to violate your privacy if it's abused. If you recall the child porn hosting operation that was shut down right after Ross yanked SR1 off of Freedom hosting, that operation was carried out by serving the hosting site's normal javascript with an added bonus from the FBI that called home to the FBI and bypassed any VPN, Tor, or I2P protection by finding out your true local IP address from your system hardware configurations. The exploit in this case also allowed the scripts to run with Noscript set to ON due to a security problem in Firefox, the browser Tor Browser is based on.

They allegedly fixed the security issue that was used in the example I gave above but we won't truly be safer from it until Tor Browser gets a long term support edition of Firefox that uses the new multi-process system to segregate pages and plugins. Currently Tor browsers Firefox base runs all plugins and pages in the same process with multiple threads instead of each thread being isolated and secure if another thread gets compromised. Right now if a bad plugin or flaw gives an attacker access to the Firefox process, the get access as if they had administrator privileges across the entire browser process because of this.

On a site such as Reddit, if they allowed a similar method to be employed here, they would not only by in open violation of multiple laws but they could be sued for monetary damages by every person exposed to such a security flaw. The American legal system has class action lawsuits for circumstances such as those.

Not everyone on Reddit is a criminal. There are a lot of activist from all around the world who use Reddit to communicate and express their voices. If Reddit allowed something to occur on purpose and those same activist suddenly were found to have been executed or imprisoned because such an exploit exposed their identities and locations, I really think their company value would go to zero and they would be sold off to another company for pennies on the dollar.