Allow js in Tor?

Submitted by evenalder in Privacy

Tutanota sign-up: “Tutanota requires javascript to be enabled. Please, activate it in the settings of your browser.”

To Submit a new text post in Notabug:
“javascript is required for this feature Better support for participating without it may come in the future. Unfortunately for now you must enable JavaScript to use this.”

What is recommended?

  • Allow js in Tor
  • Close Tor and use a vpn with another browser (FF) and allow js there
5

You must log in or register to comment.

fabianhjr wrote

Don't, JS exploits have been used in the past to deanonimize.

9

evenalder OP wrote

So, don't use js (or Tuta) with Tor, right?

Elude is blocking me logging in or signing up a new account (contradicting the service description).

Got a recommendation for an onion mail service?

−1

celebratedrecluse wrote

tuta is kind of garbage, they don't even have IMAP so you are forced to either emulate the inbox in your browser with JS (bad idea) or use their closed source binary blob application to get it on your desktop through the clearnet (lol)

i would recommend protonmail routed through IMAP. For example, you can route your entire mail application through tor. This way, you avoid the issue entirely. Regardless of JS usage, it is inadvisable to emulate the email inbox in your browser. This relies on SSL encryption (unless its thru a .onion), and is vulnerable to MITM attacks (exit nodes, NSA hacked SSL encryption a long time ago, etc)

5

Raven wrote

Also protonmail has onion domain, with strange addition of HTTPS. It works with default Tor setting where JS is limited.

3

celebratedrecluse wrote

Barely, however. the page loads slow as fuck unless you set the security setting to "Low" instead of "medium". Also, their use of HTTPS is a major red flag to me lol

3

Raven wrote

lol I'd just wait for it to load. Basically no mail service that get things right... ugh I'll probably just go back to riseup or avoid email completely.

3

celebratedrecluse wrote

Yeah riseup is a huge target for state surveillance but i'd still trust it more than the other providers lol. they're all capitalists

5

[deleted] wrote

2

Raven wrote

it's not recommended to TLS your onion https://matt.traudt.xyz/p/o44SnkW2.html

2

[deleted] wrote

1

Raven wrote

A risk is still a risk regardless of whatever interjections. I intended not to take it, you are free to do it

1

[deleted] wrote (edited )

1

Raven wrote

Unless you can forge the same cert for clearnet AND onion, it is open to phishing attacks. Did you even read the fucking article or you just skim out the part that made sense to you? Fuck off.

1

69_SHOW_ME_THE_ORBS_420 wrote

Close Tor and use a vpn with another browser (FF) and allow js there

If you're considering this, you're probably not looking for Full Anonymity™, so turning on JS in the Tor Browser would be fine.

4

evenalder OP wrote

Yeah, I realize that is compartmentalizing, and moving to the "identified" compartment. ...and have to leave Tuta and the like in the ID'd compartment

0