GNU LibreJs on Tor Browser

16 replies [Last post]
Forna
Offline
Joined: 01/12/2014

Hi all,

I would like to add LibreJs to Tor Browser. I tried to install the .xpi file from http://www.gnu.org/s/librejs/distribution/librejs-6.0.1.xpi but it appears that it's not compatible with the browser.
So my questions are:
- Is there a way to install LibreJs on Tor Browser?
- If yes, is it safe to do so?

Greetings

onpon4
Offline
Joined: 05/30/2012

This is a bad idea. Don't do it.

LibreJS selectively blocks scripts. Servers can tell when you selectively block scripts, and it adds to your fingerprint. Since no one uses LibreJS with Tor Browser, you're basically a shining beacon when you do that, and that completely negates the purpose of using Tor.

The best option to avoid running proprietary JavaScript when using the Tor Browser Bundle is to disable scripts entirely with NoScript.

Legimet
Offline
Joined: 12/10/2013

In general, it's a bad idea to add any extensions or enable any plugins with tor browser.

dobie_gillis
Offline
Joined: 10/27/2014

I disagree. In fact, the TorBrowser bundle comes with a number of extensions, including NoScript: https://www.torproject.org/projects/torbrowser.html.en

onpon4
Offline
Joined: 05/30/2012

Plugins can be detected if you have JavaScript on, so those are a big no-no. Extensions can sometimes be okay, but it's not always obvious when they aren't.

Legimet
Offline
Joined: 12/10/2013

I said it's a bad idea to *add* extensions. I didn't say anything about using the NoScript or HTTPS Everywhere already included with the browser. Other extensions could harm your anonymity, and it's best to stay away from them.

See https://www.torproject.org/download/download-easy.html.en#warning.

dobie_gillis
Offline
Joined: 10/27/2014

"LibreJS selectively blocks scripts. Servers can tell when you selectively block scripts, and it adds to your fingerprint."

They can? How does not running certain scripts add to your fingerprint? Servers would have to be explicitly checking for that. I don't think that blocking certain scripts adds to your fingerprint. As I pointed out in another comment, the TorBrowser bundle comes with NoScript enabled.

onpon4
Offline
Joined: 05/30/2012

The Tor Browser Bundle comes with NoScript enabled, but note that the "allow scripts from x.com" type options are not in the menu by default. This is deliberate. You're only supposed to use NoScript on the Tor Browser Bundle to enable and disable JavaScript, and for its security features.

dobie_gillis
Offline
Joined: 10/27/2014

Ah I see. Thanks for the clarification! I'm going to read up about this.

J.B. Nicholson-Owens
Offline
Joined: 06/09/2014

name at domain wrote:
> They can? How does not running certain scripts add to your fingerprint?
> Servers would have to be explicitly checking for that.

I imagine it wouldn't be that hard to keep track of which visitors don't
request files hosted on the same (or friendly) servers. I imagine all
one really needs to do is get access to the request logs to build and
maintain a reasonable set of visitor browser 'fingerprints' and then
offer different pages based on the suspected fingerprint.

Since browsers typically request everything needed to build a rendered
page at roughly the same time, one could give a narrow time window in
which the requester must request the page's files. Not requesting
Javascript files, Flash files, advertisement graphics files, etc. at all
(not even to check to see if the file has changed as one might do to
show cached downloads) could mark one as probably running something like
NoScript, a Flash blocker (or no Flash player installed), ad blockers,
and so on.

The site could retaliate against such blockers by changing what the
visitor ultimately gets. Not requesting ad graphics? You get more
textual ads. Not requesting Javascript files? You get more CSS that is
more likely to be seen as annoying perhaps by animating this or that.
Maybe you get a different page altogether; a page which says that unless
you enable Javascript, disable your ad-blocker, or whatnot you won't get
the main site information you probably came to see.

Then again it should be simple to defend against this by requesting and
ignoring the files one doesn't intend to do anything with, or requesting
time/datestamps on such files to simulate a cached file check. This
could be a total waste of bandwidth to be sure, but a convenient way
around such profiling/filtering.

dobie_gillis
Offline
Joined: 10/27/2014

Just to clarify - LibreJS does request all the javascript files required by a web page through <script> tags like normal. Then, in the user's browser, it sends those scripts through a series of analyses and executes the scripts that it approves.

t3g
t3g
Offline
Joined: 05/15/2011

LibreJS is garbage and you should stick with NoScript if the running of JavaScript scares you. Even on the Tor network.

BTW I've noticed many times that I cannot access this site in Tor since many people use Tor to spam or be abusive. I generally use my normal browser when coming here though so it doesn't bother me.

Forna
Offline
Joined: 01/12/2014

Thanks to all, it was just curiosity and I was interested because I find it useful in IceCat!

dobie_gillis
Offline
Joined: 10/27/2014

Hi Forna,
LibreJS should be compatible with Tor. If it's not, then it's a bug. I'm unable to see the LibreJS icon when I install it in the TorBrowser bundle, and I've filed a bug which I'll be working on here so you can track it's progress: https://savannah.gnu.org/bugs/index.php?43491

dobie_gillis
Offline
Joined: 10/27/2014

This alpha version of LibreJS 6.0.6 now works with Tor (and in private mode): http://alpha.gnu.org/gnu/librejs/librejs-6.0.6.20141110.xpi

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

baaaad idea

G4JC
Offline
Joined: 03/11/2012

As others mentioned it would hurt fingerprinting, test here for example:
https://panopticlick.eff.org

I think by default TOR Browser doesn't allow foreign extensions (for your security). It would be possible to override this at your own peril. You could accomplish similar simply by using GNUIceCat and TOR.

My personal rant: The defaults in TOR Browser (NoScript Globally enabled) are very bad for security.
- So it's up to you wether you wish to compromise security over discoverability.