Flash Player, JavaScript and Adds-on: Dark Web Privacy

Flash Player, JavaScript and Adds-on: Dark Web Privacy

According to the Tor Project itself, one of the main reasons you should not start installing Adds-on in your Tor-Browser is because you would be breaking the very logic of a system that keeps itself anonymous by the very fact that everyone there was meant to have the very same fingerprint.

No, Tor was not designed to be a criminal’s heaven – and whoever wants to use Tor network for a criminal purpose must face this huge trade off:

One has made oneself a target already. Now, either one accepts the Intelligence Agencies attack on the default-system and trusts the attribution problem created by Tor itself, or one creates a set of specific configurations that are, due to their very manually edited specifications taken out from a criminal forum, able to give an even greater methodology for intelligence to explore.

Let the criminals organize, but do keep track of it: Their specifications are willing to become unique, so unique to be able to say where did one took that from. A matter on how open-source and open-published social engineering is designed.

Despite all that, there are two very particular questions that Tor Project asks its users:

a) Do you really want this graphics?

b) Do you really want more privacy?

And here things become slightly interesting: when we talk about Tor and Dark Web, we talk about a paradigm that is the very opposite from, for example, Mozilla and the Surface Web.

In Mozilla, we are all unique until we install a (trusted please!) Adds-on – mixing ourselves, through them, with other users using the very same functionality.

Are you familiar with this logic? This is one of the very reasons the Tor-Browser is still free and VPNs still need a certain market share to be deemed reliable.

In Tor, we are all equal – until we make ourselves unique through either a specific Adds-on or (also!) a specific configuration. And, in the criminal side of the Dark Web (all Tor is Dark, even though not every darkness is criminal), the SOC Teams have controlled the threats in a highly customized way and which shall meet criminal’s own necessities.

Let have a closer look, so, in what Tor interpret (generically speaking) as a threat, making sure to translate the message from ActionScript, JavaScript or whatever to English.


According to Tor Project, even though all Adds-on compatible with Mozilla Firefox shall also be compatible with the Tor Browser, installing any additional Adds-on while surfing on Tor is not recommended.

When we are talking about cybersecurity and privacy, a single contradictory configuration is all you need to anonymize you. And, in Tor’s case, this configuration is exactly the JavaScript – which is not disabled by default in Tor Browser and, as such, is dependent on a new and manual click.

The problem is, as such, not with the JavaScript itself but with how it can be abused. As a Dark Web CSAM forum comments, the JavaScript is even so not exposing your IP. Notwithstanding, it is not only of IPs that the Intelligence is made of. For social engineering purposes, some things are still even more interesting and less legally problematic than the IPs. For Tor, IPs are by default dead (as long as you walk wisely through Tor), and we must not forget it.

Codes written in JavaScript language may check for particular features that indicate the presence of a specific Adds-On if they know how particularly that Add-on behaves – what justifies, if you are not blocking Java-Script, why you can still see a warning message such as “We have detected you are using AdBlock. Please whitelist this website in order to keep surfing” while surfing the Web. At the end of the day, the mechanics here are no different from the “We collect cookies. Please accept all of configure it manually in order to keep navigating”.

But, even if your JavaScript is disabled, there are still two very particular features that makes Adds-On non-recommendable by Tor Project:

a) There is no one officially checking those – so to be able to guarantee that, indeed, the Adds-on in case is not a keylogger. As someone comments in a cybersecurity forum, “if an extension has permission to read everything in a page, that can include anything entered into the page”. Your trust on the adds-on is the only thing that makes it differently from a keylogger.

b) You are not reading the Privacy Policy of those either – specially if you consider that, usually, one of the very conditions you accept is ‘allowing the adds-on to read data in all your websites you visit’. That means, already, that you should have at least a vetting policy for Adds-on.

For sure: How can any Adds-on block or perform anything if it does not know where (the remote server problem) the command shall be sent to? The issue here is no different from the so-called VPN logs.

Knowing where, exactly, in the geography of cyber things, all this process is taking place in your Browser should help user better accessing the logics of what they are about to do – if only, whoever reads ActionScript, JavaScript and codes in general were up to translate it into a non-coded language.

And here comes the complex computer architecture:

How do Adds-On interact with each other is the first question one should ask, so to be able to find out how your command line is solving (who knows if not by a simple matter of timelines) contradictory instructions.

Considering that, Adds-On may be the most handy solutions, but not necessarily the most privacy protective one. Why installing a Tor Adds-on when you could simply and more privately handle a Tor Proxy, for example? Thinking deeper about it but, you are also doing something similar when you allow your Antivirus accessing your disk

Flash Player

According to Tor Project itself, together with the BitTorrent and other peer-to-peer software enabled together with the Tor Browser, Flash Player (yes, the very Flash Player involved in the Cookies polemic) is another way to compromise your privacy on Tor. As BitTorrent, Flash Players also starts a parallel connection in order to operate – a connection that may, indeed, expose your IP address.

Do not forget that behind Tor there is still a Mozilla and that beyond Tor it is still your own computer with your own exposed IP address – things that are commonly mentioned as “Tor’s failures”.

So dangerous is the Flash Player that Tor Project has decided to disable it by default, even though letting you still enable it if you want to, if your privacy knowledge is poor enough to do that or if the social engineering campaign is good enough to convince you to do that.

As JavaScript, Flash Player is also related to graphics (video players, more specifically) – which may justify things like:

a) Why criminals working with video files (such as the Child Sexual Abuse Materials – CSAM ones) actually work with the download of CSAM files – and against their own forensic interest.

The Flash-Player IP case might justify why, for example, some very particular kind of criminals manage the Flash-Player by running it locally, rather than simply abandoning it.

Curiously enough, there is another TCP/UDP discussion that Dark Web criminals will start to try to convince each other why they should be involved in any illegal Live-Streaming.

b) Why YouTube does not play in your Tor Browser – making it another very interesting point for a targeted social engineering

c) Why despite hosting one of the most intelligent IT people of this world, the Dark Web is still a place with a very poor graphics


The Tor case is one of those very curious cases that hold the citizen’s eye open almost with a toothpick. Neither Tor nor Tails are magic: And both of them are not responsible for the fact that you do not read ActionScript nor are able to clearly understand how a Browser interacts with an Operating System.

And, in cyber awareness matters, we are still not talking about computer architecture – something that shall be deemed far more simple than explaining people about JavaScript or alike. The code-based social engineering is just ready to be born.

Think about it.