It's complicated. Javascript is enabled, but NoScript is installed. But NoScript by default allows all "honest" scripts, although it does block some stuff. But that's in the default "low security" mode. The goal is having websites work, so users won't give up on Tor, while providing some security. Users can increase security, but there are only three options (low, medium and high). That's to keep user profiles in fewer bins. In the "high security" mode, all scripts are blocked.

I used NoScript roughly ten years ago and it was a lot of work to manually enable JavaScripts all over the place. I used it for a couple of years solid, but eventually gave up on it, since I was practically just enabling JavaScripts on every site anyway. Everyone I tried to introduce it to gave up on it after a few weeks at most.

To NoScript's credit, it did block a phishing site that I otherwise would've fallen for once.

That was before the era of single-page apps. Like it or not, JavaScript is mandatory for even basic functionality on the modern web.

Telling users to introduce 4 clicks to load every new domain and potentially experience some significant breakages (e.g., I remember some checkout processes failing because they'd bounce the request around between scripts from processors, fraud prevention, etc.) just on the remote chance that they'll encounter malicious JavaScript is simply a non-starter. Something like Ghostery that mostly-transparently blocks things is a better proposition for ordinary adoption.

An absolutely insane default IMO, especially when those who might need to use Tor the most are the technically illiterate.

> An absolutely insane default IMO

Why do you consider it to be so? To quote Tor Project's Mike Perry:

The reason we feel that leaving Javascript enabled trumps these concerns is:

1. We want enough people to actually use Tor Browser such that it becomes less interesting that you're a Tor user. We have plenty of academic research and mathematical proofs that tell us quite clearly that the more people use Tor, the better the privacy, anonymity, and traffic analysis resistance properties will become.

In fact, my personal goal is to grab the entire "Do Not Track" userbase from Mozilla. That userbase is probably well in excess of 12.5 million people: http://www.techworld.com.au/article/400248/

I do not believe we can capture that userbase if we ship a JS-disabled-by-default browser.

2. Exploitable vulnerabilities can be anywhere in the browser, not just in the JS interpreter. We disable and/or click-to-play the known major vectors, but the best solutions here are providing bug bounties (Mozilla does this; we should too, if we had any money) and sandboxing systems (Seatbelt, AppArmor, SELinux).

https://lists.torproject.org/pipermail/tor-talk/2012-May/024...

I won't address all your points because I'm phone posting, sorry. It seems to me that there are two ideal consumers of the tor product; the people who need to use it because they are at risk of being identified in meatspace (needsecurity), and the people that are required to mask the first (providesecurity).

The needsecurity group should not have js enabled because it has been shown to be insecure (correct me if I'm wrong).

I would be happy if there was a big, red, fullscreen, flashing dialogue when tor browser was started asking the user which they were.

I would/will be happier if/when major browsers transition to 'tor as normal' status and everyone is in the providessecurity group.

Would you consider putting up an email in your profile (even anonymized), or emailing me (my email is in my profile). I am interested in talking with you about Tor security research, and it seems you are an affiliated dev.

Sent you an email, still waiting for a response :P

Noscript itself promotes malware, has very shady history,and should be avoided.

Tails is very security-concerned, if Noscript was shady they wouldn't have included it. So if you think they purposely included something that promotes malware, you are saying people should stay away from Tails.

I think you are trolling. In fact, I wouldn't be surprised if you worked for some organization that wants to keep people off Tor.

If you want to defend you post, then explain what people should do instead of using Tails.

If you think NoScript is not shady, you must be unaware: https://news.ycombinator.com/item?id=12624000

I don't want to keep people away from TOR, I personally don't care about TOR project as such, but I believe everyone deserved privacy. And people or companies who believe it's okay to mess with your adblock filters and promote shady malware companines, don't work for the same purpose.

The update page for NoScript never appears in the Tor Browser, and it seems NoScript's maintainer deleted those ads after that critcism.

They only appear when you are using IE + Windows user string.

It doesn't directly affect TOR, but the combination above is the most vulnerable people and if the author is fine with giving them instructions installing malware, why should a TOR user trust him? It doesn't make sense.

I see your point about TOR, but what about tails?

Because NoScript itself is fine.

And mass surveillance is only to catch the bad guys, why bother with TOR/Tails, it's only for terrorists.

They were at some point.