| A huge caveat regarding the comment that said general browsing is ok Browsing with JavaScript disabled (not just for some sites via the use of No-Script etc) is considered generally safe if browsing hidden services (ignoring traffic correlation attacks, adversary knocking nodes off line to increase the chances that your Tor circuit will use a guard and a relay node that they own and other tricks). Browsing the clear web however is a rather different matter. Because exit nodes are a mixture of honeypots, servers run by kind hearted volunteers, servers run by three letter agencies and corporately sponsored servers, “Exit traffic” to the web should be considered at a 'roll the dice' level of probability. Consider the example of person XYZ who is under an active investigation or there is a need for parallel construction. At (timestamp), Person XYZ activated a new Tor connection. This sort of info can be gotten from logs obtained from either your ISP or from any data centre or any point the connection that exited your building and connected to the guard node. Ok, so what, right? Agreed. However when correlated with Person XYZ also logged in to (or Googled ‘bad stuff keyword’, went to visit a site and was using a DNS server that logs queries, logged in to social media, sent an email, connected to IRC etc, etc) at (timestamp) then the ‘so what’ rapidly risks becoming rather more than a face-palm level of problem. Let’s take a look at a real life example of someone that emailed a fake bomb threat at a US University https://nakedsecurity.sophos.com/2013/12/20/use-of-tor-point... Spoiler alert, the fact that it made the news sort of tells you already that it didn’t end well for him. Bear in mind that as soon as you turn off JavaScript then you begin to stand out from the crowd (the Tor FAQ has a whole section on browser fingerprinting) |