Silk Road forums

Discussion => Security => Topic started by: BenCousins on July 20, 2012, 03:00 pm

Title: Dangers of Javascript
Post by: BenCousins on July 20, 2012, 03:00 pm
So sometimes i have to briefly turn javascript on to view things in TOR (privnote etc) and forget to turn it off, I see alot of javascript paranoia around here so im wandering what are the dangers of this?

Also what are the dangers of using both the clearnet and TOR at the same time?

BC
Title: Re: Dangers of Javascript
Post by: Banjo on July 20, 2012, 07:15 pm
So sometimes i have to briefly turn javascript on to view things in TOR (privnote etc) and forget to turn it off, I see alot of javascript paranoia around here so im wandering what are the dangers of this?

Also what are the dangers of using both the clearnet and TOR at the same time?

BC

I start off by being a whole lot more concerned about the dangers of using privnote...
Title: Re: Dangers of Javascript
Post by: BenCousins on July 20, 2012, 07:19 pm
yes i realize how dangerous privnote is but im not in the US.

So how does javascript expose you?

and are you saying there is no danger in using TOR and clearnet at same time in different browsers?

BC
Title: Re: Dangers of Javascript
Post by: oscarzululondon on July 20, 2012, 07:49 pm
So how does javascript expose you?

It can be used to work out your real IP address and computers MAC address very easily.

and are you saying there is no danger in using TOR and clearnet at same time in different browsers?

The danger is incredibly small although still technically possible to create data leaks.
Title: Re: Dangers of Javascript
Post by: kmfkewm on July 20, 2012, 11:34 pm
A lot of the simpler anonymity issues with javascript are protected from by TorButton. The remaining concern about javascript is that it can be used by an attacker to exploit vulnerabilities in your browser. Not having javascript enabled makes it harder for hackers to pwn you through your browser.
Title: Re: Dangers of Javascript
Post by: BenCousins on July 21, 2012, 05:23 am
So just by ticking "enable javascript" then it doesnt just start reporting your IP through TOR and you have to be actually under attack first?

BC
Title: Re: Dangers of Javascript
Post by: kmfkewm on July 21, 2012, 07:44 am
1st i want to point out that torbrowser has js enabled by default, this is because torbutton is setup to block it and for whatever reason they can do it better with js enabled than disabled. dont ask me why, its fucking retarded but i question the devs before and this is what they fed me.

operating a clearnet browser and a tor browser at the same time incurs not a technical risk but a human one, that you might accidently punch in SR's address in a clearnet browser which will reveal you. Or some other piece of anonymous info, its safer not to do that cause you can screw it up but whatever ur call.

the risk with js is not necessarily an attack, though it certainly can be, its more so the nature of js and flash and other addon plugin garbage which can circumvent tor by default and connect to clearnet. Not everything in a browser necessarily goes through your connection settings, especially flash and js.

so if ur really concerned about js then use noscript in torbrowser and it will block everything js, but im guessing they leave js enabled cause torbutton only blocks parts of it while attempting to leave it operational.

The Tor devs think it is better to blend into the crowd of browser fingerprints that have javascript enabled than it is to protect yourself from javascript based browser attacks. There is a trade off for sure, but I personally choose to avoid using javascript. They also want it to be enabled by default because a lot of Tor users actually want javascript and don't know they want it and don't know how to turn it on. So if it is off in TBB they will just stop using Tor.

Also please remove your CP avatar the vast majority of people here have no desire to see babies being raped. 
Title: Re: Dangers of Javascript
Post by: BenCousins on July 21, 2012, 09:19 am
1st i want to point out that torbrowser has js enabled by default, this is because torbutton is setup to block it and for whatever reason they can do it better with js enabled than disabled. dont ask me why, its fucking retarded but i question the devs before and this is what they fed me.

operating a clearnet browser and a tor browser at the same time incurs not a technical risk but a human one, that you might accidently punch in SR's address in a clearnet browser which will reveal you. Or some other piece of anonymous info, its safer not to do that cause you can screw it up but whatever ur call.

the risk with js is not necessarily an attack, though it certainly can be, its more so the nature of js and flash and other addon plugin garbage which can circumvent tor by default and connect to clearnet. Not everything in a browser necessarily goes through your connection settings, especially flash and js.

so if ur really concerned about js then use noscript in torbrowser and it will block everything js, but im guessing they leave js enabled cause torbutton only blocks parts of it while attempting to leave it operational.
what is noscript?
As for using the clearnet with Tor (watching a youtube vid as an example) is this safe as everyone here seems to post "clearnet warning" when posting a link.
BC
Title: Re: Dangers of Javascript
Post by: pine on July 22, 2012, 05:11 am
Also please remove your CP avatar the vast majority of people here have no desire to see babies being raped.

Thank-you, I've been saying that for a couple of hours now.


Also please remove your CP avatar the vast majority of people here have no desire to see babies being raped.

What avatar are you looking at, its just two vaginas.

You're full of shit and you know it. The width of a human thigh is quite thick and would normally make it difficult to tell an age characteristic on a image so tiny, but the width of the woman's leg on top gives a clear frame of reference because is 3 times larger than the girl below her. At the very most it is a girl in her early teens with a small frame and an especially larger older woman, but it is even more likely that it is preadolescence child porn.

Delete your avatar and ideally, leave the site entirely, SR's reputation is not to be sullied by accusations of hosting child porn.
Title: Re: Dangers of Javascript
Post by: Hiding on July 22, 2012, 06:24 am
If JS was turned on, you could do a lot more than expose an IP. The dangers come of using JS/Flash to install any type of malware, which could search for .dat and steal bitcoins. Javascript is the #1 way computers are infected by viruses. I have written several flash/js based cross site scripting worms. Something like that all across tor, where people notoriously have bitcoin wallets or log in to SR/mtgox would be highly insecure. You'd be opening up a market of people who largely have some untraceable money somewhere.
Title: Re: Dangers of Javascript
Post by: kmfkewm on July 22, 2012, 07:00 am

Also please remove your CP avatar the vast majority of people here have no desire to see babies being raped.

What avatar are you looking at, its just two vaginas.


If that avatar is of child porn, this will be your only warning to remove it.. or you will be banned....please take my advice.. I dont care if its 2 vaginas, as long as both vaginas are 18 yo or older then whatever, but if not, please remove... ASAP!!!

You are going to need to remove it yourself, it is just a troll account so I doubt they cooperate. But it wont do much good to remove it yourself as they can just register again and do the same thing again. SR is perma-vulnerable to people spamming CP all over the forum via avatars and the only way to stop it is to not allow people to upload their own avatars.
Title: Re: Dangers of Javascript
Post by: kmfkewm on July 22, 2012, 07:06 am
What makes you think the other person isnt a little person. Nevermind femenazi bigots think everyone has to be exactly liek them or its not ok. Maybe you'd be better off on the back of the bus, learn what it feels like to be discriminated against.

Feel free to look at whatever you want but the community here (and me in particular) prefers not seeing toddler molestation
Title: Re: Dangers of Javascript
Post by: BenCousins on July 24, 2012, 07:40 am
I only really use deepweb for SR anyway so am i in any real danger from just turning it on occasionally to view privnote? Ill keep i turned off form now on anyway
Title: Re: Dangers of Javascript
Post by: fuckthepolice101 on July 24, 2012, 08:34 am

The Tor devs think it is better to blend into the crowd of browser fingerprints that have javascript enabled than it is to protect yourself from javascript based browser attacks. There is a trade off for sure, but I personally choose to avoid using javascript. They also want it to be enabled by default because a lot of Tor users actually want javascript and don't know they want it and don't know how to turn it on. So if it is off in TBB they will just stop using Tor.

Tor has the noscript plugin installed and enabled.

You can turn different plugins on and off.

Get familiar with it

:)
Title: Re: Dangers of Javascript
Post by: BenCousins on July 25, 2012, 01:37 pm
what is noscript?
Title: Re: Dangers of Javascript
Post by: Banjo on July 27, 2012, 06:29 pm
what is noscript?

It's a plugin for Firefox that allows you to specify which domains (websites) you want to allow to run Javascript.
Title: Re: Dangers of Javascript
Post by: BenCousins on July 28, 2012, 04:53 am
so is the danger on javascript only from certain websites?

BC
Title: Re: Dangers of Talking About Privnote to Pine
Post by: pine on July 28, 2012, 06:38 am
so is the danger on javascript only from certain websites?

BC

Listen, if you don't stop using privnote and don't head on over to PGP Club, I swear to God I will literally tear the fucking Tor network apart until I hunt you down and find you and then I will proceed to beat the living shit out of you until you manage to use PGP flawlessly.

Title: Re: Dangers of Talking About Privnote to Pine
Post by: pine on July 28, 2012, 08:10 am
Listen, if you don't stop using privnote and don't head on over to PGP Club, I swear to God I will literally tear the fucking Tor network apart until I hunt you down and find you and then I will proceed to beat the living shit out of you until you manage to use PGP flawlessly.
damn pine tell em how you really feel

Looks like it's time for a kitkat.

Ben, you need to recognize that this is a very serious security flaw. It is not zomg blackhelicopters we're talking about. If you're using privnote, you are giving one of Interpol's members your plaintext messages. It doesn't matter that you're not in the USA, not even a little bit. It is not harder to use PGP than it is to use privnote or hushmail or any other shitty compromised 3rd party service that will sell you out automatically. Seriously. You don't have to learn it from me if you don't want to, but learn it or you're toast.

Title: Re: Dangers of Talking About Privnote to Pine
Post by: LouisCyphre on July 28, 2012, 09:59 am
If you're using privnote, you are giving one of Interpol's members your plaintext messages.
FUD much? seriously, you're undermining your reasonable advice to use pgp by posting paranoid shit like this

If taken literally, yes.  I choose to interpret it as hyperbole to drive the point home.  I mean seriously, fucking privnote?!
Title: Re: Dangers of Talking About Privnote to Pine
Post by: pine on July 28, 2012, 10:24 am
If you're using privnote, you are giving one of Interpol's members your plaintext messages.
FUD much? seriously, you're undermining your reasonable advice to use pgp by posting paranoid shit like this

I did think about inserting a "effectively" or "probably" in there. Then I thought it probably wouldn't be as effective (ha!). It is just like saying "It's probably more effective for your safety to wear a seatbelt".

I mean, do we have to wait until there's another Hushmail event? Why? It's as clear as daylight that Ben is potentially for the chop if another one of those happens. 5 minutes to learn PGP or 5 years wishing he had, that's how I see it.

I 100% believe that Ben would be better off submitting his messages as plaintext through SR than using privnote. And I clearly don't think that's a good idea, in fact it's an awful idea, it's just that its still much less worse than the "resource" he seems so keen to use.
Title: Re: Dangers of Javascript
Post by: BenCousins on July 28, 2012, 11:49 am
pine i agree with everything you said about privnote and beleive me i dont use it but plenty of people do. I actually spend most my time sober (depression, anxiety makes the come downs from most things including alcohol just not worth it) so i dont actually order from here that much but when i do i use PGP but someone i know IRL is a vendor (aus vendor) and we were speaking about it and he was mentioning how many people who order form him send a privnote and he has to use javascript to view it so we were wondering what the exact danger is? now if he only uses his java script for privnote and tracking sites (official post ones) and TOR for SR mostly is there any real danger.

Also I comend your  PGP club but ive got the basics for the rare instances i use it down pat, but are you teaching any more advanced stuff to do with PGP/anonymity etc?

sincerly
Ben

P.S. No blackhelicopters down here we buy them but we cant seem to work out how they can fly

P.P.S I DO NOT USE FUCKING PRIVNOTE
Title: Re: Dangers of Javascript
Post by: LouisCyphre on July 28, 2012, 12:13 pm
Also I comend your  PGP club but ive got the basics for the rare instances i use it down pat, but are you teaching any more advanced stuff to do with PGP/anonymity etc?

What do you want to know?

I've already posted a couple of more advanced things in other threads.  There are three I have up so far:

GPG HOWTO: Creating large keys and mixing algorithms (expert mode)
http://dkn255hz262ypmii.onion/index.php?topic=28474.0

GPG HOWTO: Backing up secret keys securely
http://dkn255hz262ypmii.onion/index.php?topic=28859.0

GPG HOWTO: Encrypting to yourself and a vendor, but concealing all recipients
http://dkn255hz262ypmii.onion/index.php?topic=29235.0

The second one also shows how to just use subkeys and separate the encryption subkey for escrow purposes if you're about to be fucked by LE.  All three of them require using the command line.

I'm happy to post other things on advanced GPG topics, but they will all be command line based and not geared to any of the GUIs people use.
Title: Re: Dangers of Javascript
Post by: pine on July 29, 2012, 12:32 am
pine i agree with everything you said about privnote and beleive me i dont use it but plenty of people do. I actually spend most my time sober (depression, anxiety makes the come downs from most things including alcohol just not worth it) so i dont actually order from here that much but when i do i use PGP but someone i know IRL is a vendor (aus vendor) and we were speaking about it and he was mentioning how many people who order form him send a privnote and he has to use javascript to view it so we were wondering what the exact danger is? now if he only uses his java script for privnote and tracking sites (official post ones) and TOR for SR mostly is there any real danger.

Also I comend your  PGP club but ive got the basics for the rare instances i use it down pat, but are you teaching any more advanced stuff to do with PGP/anonymity etc?

sincerly
Ben

P.S. No blackhelicopters down here we buy them but we cant seem to work out how they can fly

P.P.S I DO NOT USE FUCKING PRIVNOTE

Well, I'm glad to hear it. It means I was wrong to rant at you, which is a relief.

The exact danger is that your Oz vendor could be deanonymized by privnote with a malicious script from LE agents and simultaneously also become associated with dozens of drug related transactions when LE requests the private keys for those messages the vendor is checking. That's assuming that privnote is in fact an actual business and not simply just a front for a LEO, which I think it most likely is given that as kmf was saying everybody is suddenly all "fuck yeah, privnote" out of nowhere on here and other drug related forums.

It is also not a good idea to use post tracking sites for locating packages in the mail system. This has nothing to do with Javascript and everything to do with the fact a record is being made of every query, and if a package is then found to contain product, then it is highly likely that the IP address of the person who made a query about that package on the tracking service will also be used to deanonymize the vendor/buyer. On that subject, many of us believe, including myself, that the postage tracking services of the world have a list of public Tor nodes which they check against any query. The result is that any query for a package made via Tor is going to secondary (customs taking a careful 2nd look). The ideal is not to have to check a package at all.

Finally, most tracking services in the world require things like signatures, identity documents and physical presence at a post office in order to register your package onto the system. Again: not good from the get go.

As for learning more advanced PGP, if you read the PGP thread in my signature, I'm pretty sure you'll be learning information which is new to yourself and most people, even if you already use PGP. Verifying signed PGP messages for example, or computing a hash to ensure your software downloads weren't compromised and so forth.
Title: Re: Dangers of Javascript
Post by: BenCousins on July 29, 2012, 05:46 am
pine i agree with everything you said about privnote and beleive me i dont use it but plenty of people do. I actually spend most my time sober (depression, anxiety makes the come downs from most things including alcohol just not worth it) so i dont actually order from here that much but when i do i use PGP but someone i know IRL is a vendor (aus vendor) and we were speaking about it and he was mentioning how many people who order form him send a privnote and he has to use javascript to view it so we were wondering what the exact danger is? now if he only uses his java script for privnote and tracking sites (official post ones) and TOR for SR mostly is there any real danger.

Also I comend your  PGP club but ive got the basics for the rare instances i use it down pat, but are you teaching any more advanced stuff to do with PGP/anonymity etc?

sincerly
Ben

P.S. No blackhelicopters down here we buy them but we cant seem to work out how they can fly

P.P.S I DO NOT USE FUCKING PRIVNOTE

Well, I'm glad to hear it. It means I was wrong to rant at you, which is a relief.

The exact danger is that your Oz vendor could be deanonymized by privnote with a malicious script from LE agents and simultaneously also become associated with dozens of drug related transactions when LE requests the private keys for those messages the vendor is checking. That's assuming that privnote is in fact an actual business and not simply just a front for a LEO, which I think it most likely is given that as kmf was saying everybody is suddenly all "fuck yeah, privnote" out of nowhere on here and other drug related forums.

It is also not a good idea to use post tracking sites for locating packages in the mail system. This has nothing to do with Javascript and everything to do with the fact a record is being made of every query, and if a package is then found to contain product, then it is highly likely that the IP address of the person who made a query about that package on the tracking service will also be used to deanonymize the vendor/buyer. On that subject, many of us believe, including myself, that the postage tracking services of the world have a list of public Tor nodes which they check against any query. The result is that any query for a package made via Tor is going to secondary (customs taking a careful 2nd look). The ideal is not to have to check a package at all.

Finally, most tracking services in the world require things like signatures, identity documents and physical presence at a post office in order to register your package onto the system. Again: not good from the get go.

As for learning more advanced PGP, if you read the PGP thread in my signature, I'm pretty sure you'll be learning information which is new to yourself and most people, even if you already use PGP. Verifying signed PGP messages for example, or computing a hash to ensure your software downloads weren't compromised and so forth.

He is only oz domestic and only checks the parcels if there is a dispute and always through TOR. And they can just be brought with cash out of a vending machine here no need for ID signature speak to anyone etc.