The FBI hates me because of this simple trick

Sorry for the clickbait-y title but I could not resist.

In the past law enforcement agencies, namely the FBI, took over several hidden services and sometimes even spread malicious JavaScript code to de-anonymize visitors. While many of you probably use tails anyway and have scripts disabled globally, it is still not a good idea to log into a site taken over by criminals law enforcement. It is therefore desirable to detect such an attack as fast as possible to minimize the damage done to the DNM community.

For this reason I created the Add-on 'JavaScript Warning' where you can enter addresses of sites that should never execute any kind of JavaScript code [for example a DNM]. If these sites do serve you JavaScript code, it prompts you with a big warning page. Of course this Add-on is available for the Tor browser through the official Mozilla Add-on store. The entire source code is public as well and easy to understand for people with little or no programming knowledge.

Before I come to checking the code I will explain how to use the Add-On:

  1. Visit the Add-On page https://addons.mozilla.org/en-US/firefox/addon/javascript-warning/ and install it.

  2. Go to your Add-on overview page [Tools -> Add-ons] and click on the 'Preferences' button for the Add-on. This opens a new page where you see a textarea. Note: you need to enable JavaScript for this page so it can save your settings. When I tested it, I had to enable scripts globally since I could not enable scripts specifically for this setting page. If you have the same issue [i.e. if you click save, the textarea goes blank], then allow scripts globally, reload the Add-On settings page, enter the sites that you want to trigger a warning, press save and then disable scripts globally again.

  3. Enter the addresses of the markets you use, one per line. Here what it would look like with reddit, google and the hidden service of DuckDuckGo [I used DuckDuckGo as an example for a hidden service that executes JS]:

    reddit.com

    google.com

    3g2upl4pq6kufc4m.onion

Click on the save button.

Try it out. Visit for example to the DuckDuckGo hidden service and you will get a warning like this: https://anonimage.net/view/pYfVqJRxmc The marketplaces you entered should now trigger a warning if they ever execute JS.

The Add-on will not be that useful for Tails users though since all Tor browser changes except bookmarks get reverted when rebooting. So it is more effective for Whonix users or others to use.

Note: this Add-on does not prevent the JavaScript code from executing and is not a replacement for NoScript! It only warns you if it detects script tags [which contain Javascript code] so you do not have to look at the source code of every single page you load. Always use it in combination with NoScript which is set to block all scripts globally.

Note: Do not forget to disable auto updates for this Add-on so I can not automatically execute code that you do not want. To prevent this go to your Add-on over view page [about:addons] and click on the more link for the Add-on. Then set the 'automatic updates' option to off.


What do I have to do if I get such a warning?

If you get such a JS warning when you visit a DNM please visit this sub immediately and check if there is already a post about it. If not please submit a new one and also include the JS code from the text boxes on the warning page [so people can analyse the JS code that the DNM serves]. In the past law enforcement obfuscated the JS code which means you will probably see only gibberish in the text boxes on the warning page. However it is possible to still analyse it, so do not get confused when the code on the warning page looks strange.

In the past the malicious JS code was not deployed site-wide but rather in some specific sections / categories. So if a market gets taken over, we should expect to only see malicious code on purchases related sites [e.g. the detail page of a specific order] because browsing a DNM is not illegal.


Checking the code

Fortunately you need absolutely no understanding of programming languages to understand the code of the Add-on. To check the source code after you have installed it enter about:support into your address bar and press ENTER or go Help -> Troubleshooting Information. Then click on the button Open Directory and go in the folder 'Extensions' in the newly opened file browser window.

There you see a file called JavaScriptWarning@example.com.xpi. Copy it to your desktop for example and rename it to addon.zip. Then you can extract it and view the source code. The relevant files are options.html, options.js and warning.js. The others are generated automatically by Mozilla and / or just include meta information.


Note: this Add-On is not perfect. It for example only does it's work after the page loaded fully (i.e. the loading icon in the tab disappeared). One could technically prevent the Add-On from doing it's job by making the compromised market pages load very long so that the user switches pages before the site has fully loaded (e.g. it is possible to make the site displayed correctly but still loading).

If you have questions please post them below.


Comments


[37 Points] svere21:

Nice try officer


[7 Points] wheeler786:

So..in order to use the addon that warns us from unsafe java script we have to activate java script for the addon to properly configure it? Isn't this like what you exactly not want in the first place? Activate javascript anywhere?

Don't get me wrong, highly appreciate your effort.


[2 Points] JburnaDNM:

This is dope!


[1 Points] BrazzerBo:

Will it work for unsafe browser on Tails?


[1 Points] None:

[removed]


[1 Points] None:

For anyone with any doubts whatsoever about the contents of this plugin, I highly suggest you take /u/wombat2combat's advice and read through the source code. It is incredibly well documented and even with no knowledge of programming it should be extremely simple to follow.


[1 Points] Jevvishzealot:

Fuck the fbi pieces of shit...


[1 Points] MDMangle:

Thanks.

https://3g2upl4pq6kufc4m.onion/lite for DuckDuckGo with no javascript.


[1 Points] bobbiggs69:

I think this is pretty cool. Trust W2C or not, it doesn't matter because it's open source.


[1 Points] rifraf999:

Can you prove you're the real wombat and not currently LE? I would love to just take you at your word but...


[1 Points] PlatinumStripeDreams:

Won't this add-on make your browser fingerprint more unique?; Essentially lowering your anonymity.