Can JavaScript break anonimity provided by Tor?

tl;dr: Yes, JavaScript can break anonymity provided by Tor if there's a browser vulnerability involved, if you enable features that weren't designed anonymity in mind (like WebRTC or Geolocation API), or through giving out more information for browser fingerprinting.

This particular site (https://pearsonpte.com/) uses the Geolocation API on line 31: navigator.geolocation.getCurrentPosition(). This doesn't use geolocation data for your IP address, but a location provider like GPS chip on your device. Usually the browser prompts you for a permission per site, but this can be allowed or denied globally. Allowing geolocation globally would be dangerous as it reveals your location in much more detail than your IP address.

Configuring your browser to prevent everything that could reveal your identity takes a lot of effort and is likely to fail. Even if you have all the knowledge to disable everything necessary, the more you customize your settings the more unique fingerprint your browser will have (Am I Unique?). Tor Browser is a standalone bundle with a pre-configured Mozilla Firefox with NoScript and HTTPS Everywhere, but the default settings enables JavaScript on the site itself and warns about external scripts. Being extra careful you might want to tighten the settings by removing some of these:

Tor Browser NoScript default settings

Tor Browser is not perfect against the browser fingerprinting, but it helps a lot with other mistakes you could make. Am I Unique? test results first with default settings compared to the results with JavaScript disabled also suggests that disabling JavaScript might be a good idea:

But only 12 browsers out of the 992892 observed browsers (0.00 %) have exactly the same fingerprint as yours.

But only 1796 browsers out of the 992968 observed browsers (0.18 %) have exactly the same fingerprint as yours.

Even using the Tor Browser you could screw up in several ways including:

  • You forget (or neglect) to update the browser. Outdated versions can be quite dangerous: there has been vulnerabilities in e.g. handling file:// URLs and bypassing NoScript.

  • The site ask your permission to use HTML5 features like canvas image data. Tor Browser lets you allow it on your own risk, but you have been warned.

    Tor Browser warning on HTML5 canvas image data

  • You could allow scripts globally or trust a site you shouldn't (assuming you disabled scripts).

  • NoScript detects potential Cross-Site Scripting attack, but you can allow requests to external sites.

  • Tor Browser is pre-configured with e.g. geo.enabled & geo.provider.ms-windows-location set to false, but it doesn't lock any of the settings in about:config.

Tags:

Tor

Recent Posts