try a new answer to the javascript question
Roger Dingledine

Roger Dingledine commited on 2013-08-12 00:25:09
Zeige 1 geänderte Dateien mit 25 Einfügungen und 17 Löschungen.

... ...
@@ -66,8 +66,6 @@ includes Tor?</a></li>
66 66
     <li><a href="#TBBJavaScriptEnabled">Why is NoScript configured to
67 67
 allow JavaScript by default in the Tor Browser Bundle?  Isn't that
68 68
 unsafe?</a></li>
69
-    <li><a href="#TBBCanIBlockJS">I'm an expert!  (No, really!)  Can I
70
-configure NoScript to block JavaScript by default?</a></li>
71 69
     <li><a href="#TBBOtherBrowser">I want to use Chrome/IE/Opera/etc
72 70
     with Tor.</a></li>
73 71
     <li><a href="#TBBCloseBrowser">I want to leave Tor Browser Bundle
... ...
@@ -1038,6 +1036,7 @@ Extensions you might like include
1038 1036
 <hr>
1039 1037
 
1040 1038
 <a id="TBBJavaScriptEnabled"></a>
1039
+<a id="TBBCanIBlockJS"></a>
1041 1040
 <h3><a class="anchor" href="#TBBJavaScriptEnabled">Why is NoScript
1042 1041
 configured to allow JavaScript by default in the Tor Browser Bundle?
1043 1042
 Isn't that unsafe?</a></h3>
... ...
@@ -1051,26 +1050,35 @@ how to allow a website to use JavaScript (or that enabling
1051 1050
 JavaScript might make a website work).
1052 1051
 </p>
1053 1052
 
1054
-<hr>
1055
-
1056
-<a id="TBBCanIBlockJS"></a>
1057
-<h3><a class="anchor" href="#CanIBlockJS">I'm an expert!  (No, really!)
1058
-Can I configure NoScript to block JavaScript by default?</a></h3>
1053
+<p>
1054
+There's a tradeoff here. On the one hand, we should leave
1055
+JavaScript enabled by default so websites work the way
1056
+users expect. On the other hand, we should disable JavaScript
1057
+by default to better protect against browser vulnerabilities (<a
1058
+href="https://blog.torproject.org/blog/tor-security-advisory-old-tor-browser-bundles-vulnerable">not
1059
+just a theoretical concern!</a>). But there's a third issue: websites
1060
+can easily determine whether you have allowed JavaScript for them,
1061
+and if you disable JavaScript by default but then allow a few websites
1062
+to run scripts (the way most people use NoScript), then your choice of
1063
+whitelisted websites acts as a sort of cookie that makes you recognizable
1064
+(and distinguishable), thus harming your anonymity.
1065
+</p>
1059 1066
 
1060 1067
 <p>
1061
-You can configure your copies of Tor Browser Bundle however you want
1062
-to.  However, we recommend that even users who know how to use
1063
-NoScript leave JavaScript enabled if possible, because a website or
1064
-exit node can easily distinguish users who disable JavaScript from
1065
-users who use Tor Browser bundle with its default settings (thus
1066
-users who disable JavaScript are less anonymous).
1068
+Ultimately, we want the default Tor bundles to use
1069
+a combination of firewalls (like the iptables rules
1070
+in <a href="https://tails.boum.org/">Tails</a>) and <a
1071
+href="https://trac.torproject.org/projects/tor/ticket/7680">sandboxes</a>
1072
+to make JavaScript not so scary. In
1073
+the shorter term, TBB 3.0 will hopefully <a
1074
+href="https://trac.torproject.org/projects/tor/ticket/9387">allow users
1075
+to choose their JavaScript settings more easily</a> &mdash; but the
1076
+partitioning concern will remain.
1067 1077
 </p>
1068 1078
 
1069 1079
 <p>
1070
-Disabling JavaScript by default, then allowing a few websites to run
1071
-scripts, is especially bad for your anonymity: the set of websites
1072
-which you allow to run scripts is very likely to <em>uniquely</em>
1073
-identify your browser.
1080
+Until we get there, feel free to leave JavaScript on or off depending
1081
+on your security, anonymity, and usability priorities.
1074 1082
 </p>
1075 1083
 
1076 1084
 <hr>
1077 1085