Re: [tor-talk] Mail service requires "java script enabled"
On 01/15/2013 06:57 PM, andr...@fastmail.fm wrote: > How do I enable javascipt while using Tor BB? > > Is it an addon? Javascript should actually already be enabled. TBB comes with an add-on called NoScript that blocks javascript except for for specific sites, but it's default setting is to allow all javascript (NoScript has other security advantages too). So either NoScript is actually blocking javascript on yahoo.com and you need to make an exception to allow it, or you've disabled javascript in your Firefox preferences somehow. If NoScript is the problem, when you go to mail.yahoo.com, you should see the NoScript icon just to the left of the address bar. Click it for options. There should be an option to "allow scripts globally" to set it to the default TBB behavior, or at least "Allow yahoo.com" to just allow javascript on yahoo. If the problem is that you somehow disabled javascript in the browser settings, you can click Edit -> Preferences, go to the Content tab, and make sure "Enable JavaScript" is checked. -- Micah Lee https://twitter.com/micahflee signature.asc Description: OpenPGP digital signature ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Mail service requires "java script enabled"
How do I enable javascipt while using Tor BB? Is it an addon? . On Tue, Jan 15, 2013, at 10:37 PM, Micah Lee wrote: > On 01/15/2013 12:14 AM, Joe Btfsplk wrote: > > Never say never - but I don't know that the real risk of js is leaking > > identity so much as someone running malicious code on sites you don't > > know or shouldn't trust. > > There isn't much risk of identity leaking by enabling javascript in your > browser. The most javascript should be able to do is fingerprint your > browser profile to detect plugins, fonts, etc. By using the Tor Browser > Bundle rather than just a normal web browser proxied through Tor, most > (with the goal of all) of these fingerprinting attempts are mitigated. > > So I think it's perfectly fine to enable javascript for Yahoo mail. If > you're going to be using Yahoo mail, make sure you turn on SSL: > https://www.eff.org/deeplinks/2013/01/yahoo-mail-makes-https-available > > There are definitely security concerns though, the biggest being using > javascript on a website that someone else has discovered an XSS bug on. > And browser zero days are much more likely to be exploited through the > use of javascript, etc. > > That said, these days there are serious usability advantages that > javascript provides, especially for sites like Google Maps. If done > correctly, it can be used to *increase* security in some cases (such as > the payment processor Stripe's use of ajax), and it can be used to make > content load faster and use less bandwidth, such as Twitter letting you > load only recent tweets without refreshing the entire page. And many web > developers build javascript functionality and don't bother to make it > work for NosScripters, which is annoying, but sometimes the > functionality they're going for is impossible without javascript. > > Javascript is kind of the future of the web, and it's only going to be > more prevalent as time goes on. And unlike in the 90s, it's genuinely > useful now, not just for adding bling to your site. Rather than be down > on javascript, I think it's more production to figure out ways to make > javascript more secure, like: > https://developer.mozilla.org/en-US/docs/Security/CSP/Introducing_Content_Security_Policy > > -- > Micah Lee > https://twitter.com/micahflee > > ___ > tor-talk mailing list > tor-talk@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk > Email had 1 attachment: > + signature.asc > 1k (application/pgp-signature) -- http://www.fastmail.fm - The way an email service should be ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Mail service requires "java script enabled"
Okthat's gives me some confidence. Thanks for the help. On Tue, Jan 15, 2013, at 10:37 PM, Micah Lee wrote: > On 01/15/2013 12:14 AM, Joe Btfsplk wrote: > > Never say never - but I don't know that the real risk of js is leaking > > identity so much as someone running malicious code on sites you don't > > know or shouldn't trust. > > There isn't much risk of identity leaking by enabling javascript in your > browser. The most javascript should be able to do is fingerprint your > browser profile to detect plugins, fonts, etc. By using the Tor Browser > Bundle rather than just a normal web browser proxied through Tor, most > (with the goal of all) of these fingerprinting attempts are mitigated. > > So I think it's perfectly fine to enable javascript for Yahoo mail. If > you're going to be using Yahoo mail, make sure you turn on SSL: > https://www.eff.org/deeplinks/2013/01/yahoo-mail-makes-https-available > > There are definitely security concerns though, the biggest being using > javascript on a website that someone else has discovered an XSS bug on. > And browser zero days are much more likely to be exploited through the > use of javascript, etc. > > That said, these days there are serious usability advantages that > javascript provides, especially for sites like Google Maps. If done > correctly, it can be used to *increase* security in some cases (such as > the payment processor Stripe's use of ajax), and it can be used to make > content load faster and use less bandwidth, such as Twitter letting you > load only recent tweets without refreshing the entire page. And many web > developers build javascript functionality and don't bother to make it > work for NosScripters, which is annoying, but sometimes the > functionality they're going for is impossible without javascript. > > Javascript is kind of the future of the web, and it's only going to be > more prevalent as time goes on. And unlike in the 90s, it's genuinely > useful now, not just for adding bling to your site. Rather than be down > on javascript, I think it's more production to figure out ways to make > javascript more secure, like: > https://developer.mozilla.org/en-US/docs/Security/CSP/Introducing_Content_Security_Policy > > -- > Micah Lee > https://twitter.com/micahflee > > ___ > tor-talk mailing list > tor-talk@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk > Email had 1 attachment: > + signature.asc > 1k (application/pgp-signature) -- http://www.fastmail.fm - Or how I learned to stop worrying and love email again ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Mail service requires "java script enabled"
Something to check into: A LONG time ago, some email providers had a "simple" or "basic" view / page, to login. It was a separate URL, that may or may not have required js, IIRC. For gmail, the "basic" login page didn't require html, either. That may be no more, but at least you could ask - perhaps on Yahoo's forum or in help pages. I may be way off here, but Tor devs know js is required on most webmail login pages (& many, if not most site logins). I'm guessing if it is a huge problem / risk of leaking identity, there would've been strong warnings and /or they'd possibly come up w/ a solution. More generally speaking, things that are warned about are separate prgms, plugins, addons, etc. Programs & apps vs. a computer language (java script). Not that it can't be abused - it can & is the source of many infections, problems. But a site like Yahoo is a trusted, safe site. As for a 99.9% guarantee that using js to login to a trusted site / webmail won't leak info - I don't know. Some VERY knowledgeable Tor expert will have to answer. Another consideration: There are email providers that don't log IP addresses (or don't keep them long) - at least, per their Privacy Policies. Some have low storage allowance / smaller attachment size than giants like Gmail, Yahoo. But, if using it for your more "private" mail (not everyday stuff), that isn't a problem. Or just d/l the email to HDD & del from their server. Free accts, that are super privacy conscious and allow much storage are pretty rare. There are good ones w/ good privacy / data retention policies or don't even record IP address when logging in. Some may have free accts w/ very limited storage. If they require an alternate address to open an acct, one can create an anonymous acct using Tor on another provider - that allows using Tor (see review from The Simple Computer). Could then close the acct, or keep - in case need to reset a PW. On most, w/o alternate email address on file, no way to reset PW if lost (or even if something goes wrong on their end). One review / list of providers I saw & recently started looking into for just such a purpose is: http://www.thesimplecomputer.info/articles/email-for-privacy.html which was linked from well known Windows freeware review site, under section "3. Use A Privacy Oriented Email Service": http://www.techsupportalert.com/content/how-protect-your-online-privacy.htm#Follow_This_Advice_To_Remove_Your_Information_From_Most_People_Search_Databases Article on The Simple Computer has good bit of info, including whether some (webmail) require js, which is only a concern if using a browser w/ webmail. If using Thunderbird & POP / IMAP, js isn't an issue, as it doesn't allow js in messages & you're not retrieving email through a web page anyway. If you PAY / donate for an acct by MOST methods, someone will likely always be able to track you, if determined. Here's Riseup.net's take on that issue: https://help.riseup.net/en/donate#how-do-i-donate-anonymously TIP: I've read if you "apply" for risup.net acct, don't go into your political stance, when filling out their form, as they are openly very left minded on political / social issues. Author of the article on The Simple Computer mentions that. Other providers that have been mentioned on this list (but each user should thoroughly investigate) any provider's CURRENT Privacy Policy, TOS & other "fine print" on what they will / won't do: * secure-mail.biz (free version without SMTP support, premium version full featured) * VFEmail needs a temporary mail address for account creation. * Vekja.net offers anonymous e-mail accounts for 100 Bitcoins per month. Here is also the SAME question you asked in 2011, w/ some suggestions others had for providers. I guess you didn't find one that suited you? Date: Thu, 16 Jun 2011 18:52:34 -0700 From: JW: To: tor-talk@lists.torproject.org Subject: Re: [tor-talk] Good email services?andr...@fastmail.fm wrote: I don't trust anything related to Google...or Yahoo. Can anyone recommend a good (anonymous, secure and not in based in the US) email service, it doesn't have to be fancy? I like both Securenym and also Countermail. http://www.securenym.net/ https://countermail.com/ Countermail is based in Sweden. Both services, however, are subscription based. Each has their own set of advantages. Countermail is very good. For free services, I've always liked Privatdemail. http://privatdemail.net http://privatdemail.net/en/faq.html Clearly, these guys seem to be on Our Team. I do not know whether or not they are affiliated with the German Privacy Foundation, but they are strong philosophical opponents of data retention. Their data storage is encrypted. I believe their servers are in Egypt. They use SSL on Port 995. No web mail. Yes, the one downside, is that they will require a registration email. That was no problem for me, as I maintain several anonymous accounts.
Re: [tor-talk] Mail service requires "java script enabled"
On 01/15/2013 12:14 AM, Joe Btfsplk wrote: > Never say never - but I don't know that the real risk of js is leaking > identity so much as someone running malicious code on sites you don't > know or shouldn't trust. There isn't much risk of identity leaking by enabling javascript in your browser. The most javascript should be able to do is fingerprint your browser profile to detect plugins, fonts, etc. By using the Tor Browser Bundle rather than just a normal web browser proxied through Tor, most (with the goal of all) of these fingerprinting attempts are mitigated. So I think it's perfectly fine to enable javascript for Yahoo mail. If you're going to be using Yahoo mail, make sure you turn on SSL: https://www.eff.org/deeplinks/2013/01/yahoo-mail-makes-https-available There are definitely security concerns though, the biggest being using javascript on a website that someone else has discovered an XSS bug on. And browser zero days are much more likely to be exploited through the use of javascript, etc. That said, these days there are serious usability advantages that javascript provides, especially for sites like Google Maps. If done correctly, it can be used to *increase* security in some cases (such as the payment processor Stripe's use of ajax), and it can be used to make content load faster and use less bandwidth, such as Twitter letting you load only recent tweets without refreshing the entire page. And many web developers build javascript functionality and don't bother to make it work for NosScripters, which is annoying, but sometimes the functionality they're going for is impossible without javascript. Javascript is kind of the future of the web, and it's only going to be more prevalent as time goes on. And unlike in the 90s, it's genuinely useful now, not just for adding bling to your site. Rather than be down on javascript, I think it's more production to figure out ways to make javascript more secure, like: https://developer.mozilla.org/en-US/docs/Security/CSP/Introducing_Content_Security_Policy -- Micah Lee https://twitter.com/micahflee signature.asc Description: OpenPGP digital signature ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Mail service requires "java script enabled"
Java + Tor = bad Javascript in Tor browser bundle + Tor = probably OK. Ideally, you won't be using javascript, but as others have said, many mail services require javascript for more interactive and fancy UIs, and that's OK. What you *don't* want running with Tor is Java. Java is a virtual machine / large framework which works in browsers via a plugin. Stay away from plugins (save for those recommended for / included by Tor Browser bundle / Tor Browser developers). But as long as you're running TBB, you should be ok. Javascript = an interpreted language / engine entirely *inside* the browser infrastructure (whereas Java is not). On Tue, Jan 15, 2013 at 2:41 PM, wrote: > > .The problem site is Yahoo.com. It wants java script to be running. > > Don't know what to do. > > > On Tue, Jan 15, 2013, at 06:14 AM, Joe Btfsplk wrote: > > His subj. said java script, but in the message he said Java. Not many, > > if any web mails REQUIRE java. But many sites, incl. many web mails > > need js - at least to login. You might be able to get around w/o js, > > once logged in. > > There's no way around not using js, on some sites, if you want it to > > work, be able to d/l files, etc. In TBB, NoScript comes set default to > > allow js globally. > > > > Never say never - but I don't know that the real risk of js is leaking > > identity so much as someone running malicious code on sites you don't > > know or shouldn't trust. > > > > On 1/14/2013 9:52 PM, SiNA Rabbani wrote: > > > Java or JavaScript? > > > > > > Do not use email service that requires plugins such as Java. > > > On Jan 14, 2013 7:26 PM, wrote: > > > > > >> In trying to access an email, web based, the service said that java > has > > >> to be enabled. > > >> > > >> What's the best course of action here? > > >> > > >> Will enabling java create an IP leak or in some way defeat the purpose > > >> of using Tor to access the mail? > > >> > > >> Does Tor browser bundle even have the ability to use java? > > >> > > >> > > >> . > > >> > > >> -- > > >> http://www.fastmail.fm - A no graphics, no pop-ups email service > > >> > > >> ___ > > >> tor-talk mailing list > > >> tor-talk@lists.torproject.org > > >> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk > > >> > > > ___ > > > tor-talk mailing list > > > tor-talk@lists.torproject.org > > > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk > > > > > > > ___ > > tor-talk mailing list > > tor-talk@lists.torproject.org > > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk > > -- > http://www.fastmail.fm - One of many happy users: > http://www.fastmail.fm/help/overview_quotes.html > > ___ > tor-talk mailing list > tor-talk@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk > ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Mail service requires "java script enabled"
.The problem site is Yahoo.com. It wants java script to be running. Don't know what to do. On Tue, Jan 15, 2013, at 06:14 AM, Joe Btfsplk wrote: > His subj. said java script, but in the message he said Java. Not many, > if any web mails REQUIRE java. But many sites, incl. many web mails > need js - at least to login. You might be able to get around w/o js, > once logged in. > There's no way around not using js, on some sites, if you want it to > work, be able to d/l files, etc. In TBB, NoScript comes set default to > allow js globally. > > Never say never - but I don't know that the real risk of js is leaking > identity so much as someone running malicious code on sites you don't > know or shouldn't trust. > > On 1/14/2013 9:52 PM, SiNA Rabbani wrote: > > Java or JavaScript? > > > > Do not use email service that requires plugins such as Java. > > On Jan 14, 2013 7:26 PM, wrote: > > > >> In trying to access an email, web based, the service said that java has > >> to be enabled. > >> > >> What's the best course of action here? > >> > >> Will enabling java create an IP leak or in some way defeat the purpose > >> of using Tor to access the mail? > >> > >> Does Tor browser bundle even have the ability to use java? > >> > >> > >> . > >> > >> -- > >> http://www.fastmail.fm - A no graphics, no pop-ups email service > >> > >> ___ > >> tor-talk mailing list > >> tor-talk@lists.torproject.org > >> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk > >> > > ___ > > tor-talk mailing list > > tor-talk@lists.torproject.org > > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk > > > > ___ > tor-talk mailing list > tor-talk@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk -- http://www.fastmail.fm - One of many happy users: http://www.fastmail.fm/help/overview_quotes.html ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Mail service requires "java script enabled"
His subj. said java script, but in the message he said Java. Not many, if any web mails REQUIRE java. But many sites, incl. many web mails need js - at least to login. You might be able to get around w/o js, once logged in. There's no way around not using js, on some sites, if you want it to work, be able to d/l files, etc. In TBB, NoScript comes set default to allow js globally. Never say never - but I don't know that the real risk of js is leaking identity so much as someone running malicious code on sites you don't know or shouldn't trust. On 1/14/2013 9:52 PM, SiNA Rabbani wrote: Java or JavaScript? Do not use email service that requires plugins such as Java. On Jan 14, 2013 7:26 PM, wrote: In trying to access an email, web based, the service said that java has to be enabled. What's the best course of action here? Will enabling java create an IP leak or in some way defeat the purpose of using Tor to access the mail? Does Tor browser bundle even have the ability to use java? . -- http://www.fastmail.fm - A no graphics, no pop-ups email service ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Mail service requires "java script enabled"
Java or JavaScript? Do not use email service that requires plugins such as Java. On Jan 14, 2013 7:26 PM, wrote: > In trying to access an email, web based, the service said that java has > to be enabled. > > What's the best course of action here? > > Will enabling java create an IP leak or in some way defeat the purpose > of using Tor to access the mail? > > Does Tor browser bundle even have the ability to use java? > > > . > > -- > http://www.fastmail.fm - A no graphics, no pop-ups email service > > ___ > tor-talk mailing list > tor-talk@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk > ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Mail service requires "java script enabled"
In trying to access an email, web based, the service said that java has to be enabled. What's the best course of action here? Will enabling java create an IP leak or in some way defeat the purpose of using Tor to access the mail? Does Tor browser bundle even have the ability to use java? . -- http://www.fastmail.fm - A no graphics, no pop-ups email service ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk