Allow js in Tor?

Submitted by evenalder in Privacy

Tutanota sign-up: “Tutanota requires javascript to be enabled. Please, activate it in the settings of your browser.”

To Submit a new text post in Notabug:
“javascript is required for this feature Better support for participating without it may come in the future. Unfortunately for now you must enable JavaScript to use this.”

What is recommended?

  • Allow js in Tor
  • Close Tor and use a vpn with another browser (FF) and allow js there
6

Comments

You must log in or register to comment.

fabianhjr wrote

Don't, JS exploits have been used in the past to deanonimize.

9

evenalder OP wrote

So, don't use js (or Tuta) with Tor, right?

Elude is blocking me logging in or signing up a new account (contradicting the service description).

Got a recommendation for an onion mail service?

-1

celebratedrecluse wrote

tuta is kind of garbage, they don't even have IMAP so you are forced to either emulate the inbox in your browser with JS (bad idea) or use their closed source binary blob application to get it on your desktop through the clearnet (lol)

i would recommend protonmail routed through IMAP. For example, you can route your entire mail application through tor. This way, you avoid the issue entirely. Regardless of JS usage, it is inadvisable to emulate the email inbox in your browser. This relies on SSL encryption (unless its thru a .onion), and is vulnerable to MITM attacks (exit nodes, NSA hacked SSL encryption a long time ago, etc)

5

Mango wrote

Also protonmail has onion domain, with strange addition of HTTPS. It works with default Tor setting where JS is limited.

3

celebratedrecluse wrote

Barely, however. the page loads slow as fuck unless you set the security setting to "Low" instead of "medium". Also, their use of HTTPS is a major red flag to me lol

3

Mango wrote

lol I'd just wait for it to load. Basically no mail service that get things right... ugh I'll probably just go back to riseup or avoid email completely.

3

celebratedrecluse wrote

Yeah riseup is a huge target for state surveillance but i'd still trust it more than the other providers lol. they're all capitalists

5

[deleted] wrote

2

Mango wrote

it's not recommended to TLS your onion https://matt.traudt.xyz/p/o44SnkW2.html

2

[deleted] wrote

1

Mango wrote

A risk is still a risk regardless of whatever interjections. I intended not to take it, you are free to do it

1

[deleted] wrote (edited )

1

Mango wrote

Unless you can forge the same cert for clearnet AND onion, it is open to phishing attacks. Did you even read the fucking article or you just skim out the part that made sense to you? Fuck off.

1

godman666 wrote

id agree on this statement, but would say that protonmail has been known in the past to work with the police and give up emails . Far to many people believe that the fact that they encrypt emails server side that its safe to use without any second hand encrypting, not knowing that protonmail them selves can decrypt everything and hand them over.

In addition a sure fire way to evade man in the middle attacks is to chain your vpn with tor so it would work like so vpn>tor>vpn ----------> tor browser

Imo best email providers riseup and autistici.org

2

celebratedrecluse wrote

Far to many people believe that the fact that they encrypt emails server side that its safe to use without any second hand encrypting, not knowing that protonmail them selves can decrypt everything and hand them over.

Well, i mean, email in general is tapped at the fiber optic cable level right? so its not secure inherently. As far as the auto-encrypt goes, i agree, i wouldnt trust that. But we're not talking about the security of the account, we're talking about the anonymity, which is all the email over tor can offer you. It hides your specific geolocation, that's all we can realistically strive for imo.

if you can route IMAP through the .onion, there's limited capacity for a MITM attack on your location, which makes the email account less personally identifiable. They can still get you through metadata, of course, and the contents of anything unencrypted.

But as far as the protonmail servers being able to decrypt your messages, i don't think that's true. unless you use a weak password, they are using GPG key pairs with a passphrase that only the user is supposed to know. Even though they have the keys, is there really a way for them to crack open the emails if you use a good passphrase? At any rate, that's fine for them to do, because I never rely on that feature. Always encrypt your sensitive messages outside of a web browser, using your own locally stored GPG key. Everything else, assume the NSA gets to read, that's my opinion.

3

godman666 wrote

i was mostly just piggybacking off what you where saying . I believe when just talking about tor and all that there always has to be the conversation of just basic opsec fundamentals . In the left i find it to be pretty bad in general , groups keeping minutes of meetings on google docs , using 3rd party software while communicating, etc and then wonder why the police know everything already.

2

Mango wrote

In addition a sure fire way to evade man in the middle attacks is to chain your vpn with tor so it would work like so vpn>tor>vpn ----------> tor browser

Do not use Tor over VPN or other shit. That'd deanonymize you.

Also don't use autistici, their shit was raided and their servers were bugged in the past. Their implementation of crypto was shit too. By far, Riseup is the only radical provider that kinda got things right.

2

godman666 wrote (edited )

i was talking about chaining the vpn with tor as in layers , as in your connection goes to the vpn sever bonces around threw tor back to a different vpn server then back out . Using tor by its self is bad, at the very least use a vpn with using tor so the ISP doesnt know you are using tor. Adding layers does help with obfuscate tor usage and thwarts alot of traffic analysis .

Thanks for the heads up on autistici, i didn't know they have been raided.

1

Mango wrote

VPN over Tor is not recommended because VPN can monitor your nodes and therefore known where you connected from. There is no trusted VPN providers. Tor over VPN is different because it is used to anonymize connection to a VPN provider.

If you need a Riseup invite, DM me.

2

godman666 wrote

thanks buddy, but i already have a riseup .

"There is no trusted VPN providers" i wouldn't go that far there are a few good ones that dont keep logs or information , also personally i find it easier just building your own vpn servers and maintaining that way. But if you dont have the skill set to run your own vpn servers mullvad is supposed to be really good .

2

Mango wrote (edited )

i wouldn't go that far there are a few good ones that dont keep logs or information

Have you audit their source codes yourself? Have you compiled your own OpenVPN client and server? If not then my point still stands.

1

[deleted] wrote

1

Mango wrote

I only use Riseup for XMPP, etherpad and email. I never used their VPN.

1

69_SHOW_ME_THE_ORBS_420 wrote

Close Tor and use a vpn with another browser (FF) and allow js there

If you're considering this, you're probably not looking for Full Anonymity™, so turning on JS in the Tor Browser would be fine.

4

evenalder OP wrote

Yeah, I realize that is compartmentalizing, and moving to the "identified" compartment. ...and have to leave Tuta and the like in the ID'd compartment

0