Is it safe to allow scripts on Wordpress.com in Tor Browser?


5 months ago
On Wordpress.com one is required to allow scripts to access areas such as one's account information and statistics. Will allowing Wordpress.com to run a script (in Tor Browser) compromise one's anonymity and reveal one's real IP address?

I don't know what kind of script Wordpress.com uses, or if it even matters. When attempting to view account settings with "NoScript" enabled, it says a script called "browsehappy" has been blocked and nothing can be viewed -- I don't know if this is Javascript, Java, Flash, or some other kind of script. Wordpress.com says that users can't add their own Javascript to the site, but they don't say what kind of script they themselves use.

The only way to access certain pages on Wordpress.com is to "temporarily allow scripts", and I am wondering if this risky/unsafe to do, or if the Wordpress.com scripts (when temporarily allowed) might reveal one's real IP address and de-anonymize them (or make them vulnerable in some other way).

I am also wondering if it is necessary to click "restrict third party cookies and other tracking data" (under Privacy Settings) or the "accept cookies from sites" button (under preferences) to maintain anonymity -- if cookies are completely disabled, will this disable functionality and make it impossible to use Wordpress.com and other sites?

5 months ago
Yes, this is risky.

Javascript itself cannot reveal your IP, but there were several successful attacks on Tor users via abnormal browser behavior, and your browser can also be vulnerable. The most dangerous are Remote Code Execution exploits, so if someone intrudes into your local computer via some buggy Javascript/sandbox code, your IP will be revealed.

To avoid this you should use Virtual Box setup, like in Whonix/Tor_VM. Even if you catch some rootkit, there is still very hard to identify your real IP because rootkit should pop-out from Virtual Machine to Host Machine, and run itself there.


Cookies and tracking data could be dangerous if you use same browser for Tor and non-Tor browsing. And even if you use different browsers, there are still things like Flash SharedObjects that are common for all browsers in the same OS. So Virtual Box is a good thing anyway.

5 months ago
Yes, this is risky.

Javascript itself cannot reveal your IP, but there were several successful attacks on Tor users via abnormal browser behavior, and your browser can also be vulnerable. The most dangerous are Remote Code Execution exploits, so if someone intrudes into your local computer via some buggy Javascript/sandbox code, your IP will be revealed.

To avoid this you should use Virtual Box setup, like in Whonix/Tor_VM. Even if you catch some rootkit, there is still very hard to identify your real IP because rootkit should pop-out from Virtual Machine to Host Machine, and run itself there.


Cookies and tracking data could be dangerous if you use same browser for Tor and non-Tor browsing. And even if you use different browsers, there are still things like Flash SharedObjects that are common for all browsers in the same OS. So Virtual Box is a good thing anyway.
"TOR Hacker"

What if the following were done: if I visited Wordpress.com on the latest Tor Browser without using a virtual machine (i.e. using Tor on a host machine such as Mac OS X), but when doing this I would have "NoScript" on 100% of the time. And, if I needed to use a script on Wordpress.com for any reason, I would visit Wordpress.com on a Tor Browser within a virtual machine (such as VirtualBox & Whonix) and use those scripts in the VM -- but that would be the only time I'd use a Virtual Machine.

Would this be risky? Is there anything to worry about when using a Tor Browser without a virtual machine so long as NoScript is on 100% of the time?

Reply

You are not logged in. Login or register to reply on this thread.