Ive been told its dangerous, why?
By default, javascript runs in a sandbox and shouldn’t leak anything dangerous about your system, especially if you’re running stock tor browser or a stock browser available in tails.
If you’re not running a stock tor browser or stock tails browser, it might leak information that could lead to fingerprinting your system. But if the javascript isn’t malicious and trying to run an exploit, they won’t be able to decloak your connection. If it is malicious and your browser is vulnerable to the exploit being used by the malicious javascript, then, the malicious javascript will be able to run its payload and that payload might decloak your connection and call-home to an attacker-controlled machine or do other nefarious things like install some malware on your machine allowing the attacker to spy on your day-to-day activities with that computer.
For a more practical example: in 2013, the FBI took over a tor hosting service named Freedom Hosting and inserted a malicious script in the pages of the onion sites hosted on that service. That malicious javascript used a javascript exploit to run a payload that called home to a FBI-controlled machine that sent the real IP address of the computer that had visited the site as well as a unique identifier for the computer. It lead to multiple arrests of people who had visited child porn websites during the time the malicious script was present with a vulnerable browser (javascript enabled + vulnerable version of the browser + OS the payload could run on - it was a windows-only payload).
The malicious javascript code only worked on outdated versions of the tor browser as the exploit used by the malicious javascript had been fixed in the latest version of the tor browser (leading us to think that even though the FBI might use offensive techniques to do a wide swipe over pedos on the dark web, they won’t risk leaking a precious 0-day exploit just to do that). So, you should always make sure to run the most recent version of the tor browser or tails available at that time (although, there’s no guarantee that they’ll never use a 0-day).
I’m not aware of other similar events that have happened since, but there might. I’m not fully up to date with darknet news.
However, even if no other large-scale event like the one I talked about have happened since, it doesn’t mean that the FBI or other LEA aren’t using such methods in a more targeted way. Probably to get higher profile targets rather than to do large swipes to get the low hanging fruits running vulnerable software for which exploits are already known. In those cases, I believe that depending on the target, they might consider it worth it to use 0-days exploits as the risk of those being disclosed after the attack is much less than when doing a large swipe. Also, in those cases, I’d say the most likely payload wouldn’t be one that simply call home but one that installs malware on the suspect’s machine in order to gather as much evidence before going for the arrest.
You can find some basic info about the event with Freedom Hosting from its wikipedia page and some of their sources:
https://en.wikipedia.org/wiki/Freedom_Hosting
https://www.wired.com/2013/08/freedom-hosting/
https://www.wired.com/2013/09/freedom-hosting-fbi/
Moral of the story: if you’re using tor to do something that might remotely make you a person of interest for the law, you should disable javascript, at least when doing those activities that would make you an interesting person for them. There’s no way to say when something like that will happen again, if you might be a target of the next similar attack and if when that time come the exploit used will be a 0-day, rendering using up to date software useless.
EDIT: LEA taking over some tor service and adding some malicious script to its pages should be your only worry.
There’s a class of attacks called XSS attacks (https://en.wikipedia.org/wiki/Cross-site_scripting) where a user can inject javascript code into a vulnerable website. Like in a forum post or a comment section. Of course, most of the time, the whole point to do that is to inject malicious javascript code to attack every person visiting the page containing the code.
Such attacks could be used by LEA for reasons similar to those used in the Freedom Hosting event but they could be used by pretty much anyone.
Vigilantes hackers trying to hack pedos or people involved in other illegal activities.
Run of the mill cybercriminals trying for whatever reason, being blackmail or other nefarious things.
I’d say those people would be more likely to use 0-days exploits for such purposes since a wide-scale attack would be of much more values for them than for LEA and if they had access to a 0-day exploit, they might well think it’s worse it to get it disclosed for this purpose than LEA that is more limited in their use of 0-days as those can be used for intelligence operations and targeted attacks that have a much higher value to them than wide swipes over low hanging fruits.
Javascript is a client-side language therefore it runs on your own web browser/machine. Since it runs on your own computer an attacker can write scripts that would compromise your security.
Because JavaScript is used to enhance the quality of websites like displaying it accordingly to the device resolution and size, and for this JavaScript gathers the information about what browser you are using, which platform is it running on (Mac, Windows, Linux, Android) including some other info related to timezones and display size which can be used to target you by the websites or anybody (hacker).
Javascript is client side. Scripts run on the machine loading the page. Loads of exploits and vulnerabilities they can take advantage of on your machine. You willingly download the payload basically.
Because javascript is fundamentally dangerous
`“10” - “1”
9
“10” + “1”
"101
Cross site scripting attacks allow attackers to hide their own code in someone else’s website. That code could reveal your identity
So if a market shop is requiring you to enable Java it’s a scam site or is it real? I found Deep Market place but it says to enable I found from links from legit sites … I don’t know
Does the dark web require JavaScript
Thanks for the wonderful, extensive explanation! Clears up a whole lot of questions I had
Awesome. Very informative and concise. Thank you.
That such an excellent reply dude. You really took the time to explain it and put a lot of efforts into it. This part of the world needs more people like you
Leading us to think that even though the FBI might use offensive techniques to do a wide swipe over pedos on the dark web, they won’t risk leaking a precious 0-day exploit just to do that).
Another possibility is that people using an outdated version of Tor browser on Windows with Javascript enabled probably didn’t bother to encrypt their drives either. It could be a way of selecting the people they’re most likely going to be able to convict.
So people are still using windows to surf the deep web??
Hey u/ylan64 If java script is that bad then why tor doesn’t recommend to disable java script from about:config
Why does it tell me everytime im on dread that i need to disable java but it is disabled?