Unsafe to temporarily enable javascript on Whonix Workstation?

If I’m using the Tor browser on Whonix Workstation and I use the Tor browser option to temporarily enable scripts on a specific web site, could someone explain how this compromises my anonymity and real IP address?

Thanks

I know enabling java script could allow web sites to fingerprint your browser. That in turn could be used to track you as you search the web. The EFF has a good little article on it with a few links you may be interested in. Web Browsers Leave ‘Fingerprints’ Behind as You Surf the Net. There is also the EFF’s Panopticlick which will show you how unique your browser is. You have to have java script enabled to use it.

I know you said you temporarily enable java script on certain sites and sometimes you have not choice but to disable no scripts for site functionality but you could still be tracked.(e.i You could develop a pattern of visiting the same sites at the same time everyday ) This could be further exacerbated if you have installed additional browser plugins.

Another thing disabling no scripts could do is open you up to possibility of malicious java script executing in your browser. This is not an area I know a lot about so I’m going to leave this up to someone else to explain. :wink:

There is one thing I do know, depending on your threat model having no scripts may not be enough to prevent someone from obtaining your identity/ ip . I don’t think there is a lot you could do if a state actor wanted to ID you.

Thanks for this informative reply.

I’ve heard about malicious scripts executing and reporting back de-anonymizing information such as the real (host) IP, and I thought that effected some Tor users who were not using Whonix. For that scenario, or even in the case of a sophisticated state actor, I guess I’m asking if there are any known cases of an attack “breaking out” of the Whonix VMs to reach the host OS and expose the real IP?

As I’m sure you know anything is possible but I believe whonix is designed to prevent your Ip from leaking out or being exposed to the host or attacker. To be honest I don’t know if there are any know cases, however someone from the whonix team would be better suited to answering that question for you. The following is an excerpt taken from the Whonix Wiki

The Workstation VM runs user applications. It is connected only to the internal virtual LAN, and can directly communicate only with the Gateway, which forces all traffic coming from the Workstation to pass through the Tor network. The Workstation VM can “see” only IP addresses on the Internal LAN, which are the same in every Whonix installation.

User applications therefore have no knowledge of the user’s “real” IP address, nor do they have access to any information about the physical hardware. In order to obtain such information, an application would have to find a way “break out” of VirtualBox, or to subvert the Gateway (perhaps through a bug in Tor or the Gateway’s Linux kernel).

I don’t want to give you wrong information so I think It would be better if I stopped here and let someone more experienced help you out. Sorry I couldn’t be more help full

Your answer is quite complete and your point is well taken that anything is possible.

NBrand:
Is Mysterium Blockchain-based VPN as good as its claimed to be?

Lidecker79:

Yes, I think its great .!!

MBrand:

Yes, I agree, your so smart to say so, what a great Internet site this is !

This is quoted from HulaHoop when I asked that question[quote=“HulaHoop, post:2, topic:4029, full:true”]
I looked at their whitepaper and there are no meaningful technical details or specs on how its implemented to resist strong adversaries. Also who is behind it and what is their reputation for researching and building such complex systems? With the exception of a couple of cryptocurrencies, every billing system is a surveillance system.

Also wasn’t Ethereum hacked to shreds a few months ago? Do people still buy it?
[/quote]

To sum it up there isn’t enough tech details or specs to make a conclusion. This simple fact that I haven’t been able to find anything meaningful says a lot. Plus the developers reputation is unknown. It won’t stop people from using it if its packaged pretty and “tech” sites that get paid for writing good reviews do a good job selling their product.

Enabling JS temporarily trades off security vs convenience because some pages will not load properly unless its enabled.

From a browser-fingerprinting POV you should be no worse than having it disabled since Tor Browser is designed to to have a uniform fingerprint whether JS is enabled or not.

However some attacks become easier however such as typing pattern fingerprints if you ever type in a browser. An easy workaround is to type in a notepad and paste in the browser. An OS-level mitigation is being developed that should protect against this and mouse movement tracking too even if JS is enabled.

1 Like