/d/OpSec icon


15,203 subscribers

Discussion about OpSec, Threat Models, Protection, Assessment and Countermeasures.

Tor 11 Javascript warning

by /u/Shakybeats M · 4 votes · 2 weeks ago

Tor recently released Tor 11 (November 7th) It seems some Windows users are reporting an issue with Javascript still be enabled even after setting the security slider to safest.

First of all you should NEVER be using Windows for Darknet activity.

Second let this serve as an example of why everyone should not trust the security slider. This bug could happen in any OS, and you could still have javascript enabled.

To disable javascript type: about:config into the address bar.

Accept the risk and type java into the search bar.

Double click javascript.enable so it turns bold and is set to false.

Here is the bug for the tor page: http://eweiibe6tdjsdprb4px6rqrzzcsi22m4koia44kc5pcjr7nec2rlxyad.onion/tpo/applications/tor-browser/-/issues/40695

JS enabled on Safest in Windows

We received a user report on the forum that JS is still enabled on Safest, and @HackerNCoder has been able to reproduce on Win10. We haven't been able to reproduce it on MacOS or Linux yet.

Comments (10)
/u/waltcranston · 3 votes · 2 weeks ago · Link

Thanks! I guess this means I can continue to use the powerful windows vista combined with the impenetrable mcafee antivirus

/u/HeadJanitor Moderator · 1 votes · 2 weeks ago · Link

Windows Users:

(Despite annoying message, check about:config)

This is bug # 40695 associated with NoScript and in particular HTTPS Everywhere breaking due to CSS. Affecting only users with version 11.0a9 at random. Upgrade to Extended Support Release 78.15.0esr


The patch to ExtensionParent.jsm includes a method torWaitForExtensionMessage that isn't used but will be fixed in shortly.

Version Mozilla Firefox 91.3.0esr (64-Bit) should get rid of the bug.


/u/StarScream999 · 1 votes · 2 weeks ago · Link

Didn't happen to me. But I don't use HTTPS Everywhere. I don't see the point on TOR.

/u/HeadJanitor Moderator · 2 votes · 2 weeks ago · Link

HTTPS Everywhere and NoScript are built-into Tor.

/u/StarScream999 · 1 votes · 2 weeks ago · Link

You are correct, sir.

/u/HeadJanitor Moderator · 1 votes · 2 weeks ago · Link

But mostly wrong ;) Hope you're having a good night.

/u/sstanl · 1 votes · 2 weeks ago · Link

It's especially important on Tor. Not for using hidden services of course, but for everything leaving the Tor network.

You might be aware an unencrypted connection can be trivially eavesdropped at any point between sender and receiver (MITM). This is still the same for the path your connection takes from the exit node to the server.

But Tor adds something: An exit node already is a very convenient middle box for eavesdropping: Connections will take the same route for a while, you know you will have traffic and you can expect "interesting" traffic as ppl use Tor probably because they want to keep something secret.

/u/HeadJanitor Moderator · 1 votes · 2 weeks ago · Link

Resolved: upgrade passed 11.0a9

All Operating Systems

Tor Browser Download Installer




/u/Kooen · 1 votes · 2 weeks ago · Link

Once i got the Javascript warning from Dread when i clicked on a post despite i did manually disabled Javascript and set the security slider to safest. But when i reloaded the page the warning disappered. Strange.

/u/HeadJanitor Moderator · 1 votes · 2 weeks ago · Link

Check your version. Only applies to version 11.0a9a