TBB enables JavaScript by default, presumably because many websites need JavaScript. NoScript can be used to selectively allow JavaScript from certain domains, but doing so could make it possible to fingerprint your Tor use.
By my judgment, you are more likely to be deanonymized by a Firefox JavaScript vulnerability than fingerprinting due to selective JavaScript allowance, so it is more secure to use NoScript to selectively allow JavaScript. I am curious whether others agree with this assessment? We know that Firefox vulnerabilities have been used to deanonymize Tor users, but we have never seen a fingerprinting attack used, AFAIK. (I am not questioning the TBB default of allowing JavaScript; that probably should be the default even if it increases risk, for usability reasons.) dhanlin -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
