Dark Reader can be detected, if not from the injection at very least from the fetching behavior. the creator of the extension states this very clearly on Github:
as you already said, extension that alter the traffic fingerprint (eg. ad-blocker or things like LocalCDN) are rather easy to identify. however I wouldnāt go as far as saying thatās an actual issue with the ad-blockers themselves: they do their job, they are just not adequate when you try to fit into a crowd hence when using tor browser; I guess the same can be said about Dark Reader: the extension is doing itās job, thereās just no way for it to hide.
tldr: extensions can be detected and thereās no way around it. while it doesnāt make them bad in general, maybe donāt use them with TB.
when did you last use it? it hasnāt been that way for me in ages.
other than websites that return a score I argue that websites that return values are not of much value if you do not know how much entropy they carry (eg. are they the same for all the people on the same OS?) or how they are handled in the browser with various mitigations. itās one thing to read a value, but itās a whole different thing to understand if and how it can be used, leave alone against a specific tool.
everything is documented on TBās official gitlab btw, people working on it know their stuff.
Firefox has a bigger userbase than Tor Browser users, and it is a pretty uncontested claim logically. Firefox has Tor Projectās code for anti fingerprinting and per site data isolation upstreamed to Firefoxās private browsing mode since the past 15-20 or so versions now.
Firefox does not have the crowd that Tor Browser has, it does not have the Tor network, RFP is not enabled by default and users will make changes to their settings. even if Firefox has the larger user base thereās no argument for Firefox having a better crowd, sadly thereās no linear correlation in this case.
yes, you can harden it, but the crowd is so small that you will not defeat advanced scripts, nor you should expect to. hardened setups are also not equal as projects like arkenfox and librewolf are going to be tweaked by users post hardening (as they very much should).
applying stylometry analysis
this is opsec and it does not strictly apply to the tool youāre using so I donāt think itās a valid argument for any of the points explained above.
as for the list you wrote:
āTB should cover all metricsā (I know you havenāt said it, I just didnāt know how to phrase it better lol) is not a safe assumption: not all metrics are equal, they do not all carry entropy nor they are all valuable fping methods. this brings us back to the initial part of this comment.
the rest of the stuff you discussed, like typing in the wrong tab etc, is mostly opsec and as I said I also value the added peace of mind, but it doesnāt make logins on Tor bad per-se. keyloggers are also a bit out of scope for this discussion imo.
tldr: TB covers enough metrics for most threat models even with JS on - naive scripts swallow the pill, advanced ones are defeated by the crowd, and donāt forget the network -, and the benefits of disabling JS are not that big.
ps thanks for getting back despite the lengthy comments, I added some edits for completeness on both sides of the discussion :-)
I just ran TBB and used deviceinfo.me to verify
ironic how this is posted below an article that says that testing websites are not reliable and that you should not read into the results unless you understand them. I donāt think this is the case, sorry about being painfully honest but I donāt want people to freak out over tests instead of reading a well written article:
You want to know what a JS enabled Tor Browser looks like? A standard Firefox private mode tab with uBlock Origin medium mode and arkenfox user.js applied.
thatās simply not true. TB has further enhancement and code changes, it is based on ESR plus itās not the same as a private window at all since private mode does not write to disk for example. most importantly tho: TB has crowd and the Tor network, thatās vital and a huge difference. a traffic analysis would also probably identify Firefox + uBO in medium mode vs TB. also, arkenfox does not try to make Firefox turn into TB, thatās clearly stated in the wiki and I would know as I am a repo admin :-)
Can the author explain me why keeping JS on is so helpful
usability, a browser with JS disabled by default is not a good everyday browser for most. the more people use Tor Browser daily and have a good experience with it, the larger the crowd gets.
All the above information I mentioned is trackable forā¦
I mean once you are subscribed, why would they want to fingerprint you? they already know who you are. when facebook operates as third party it will be isolated plus on a different circuit and with fingerprinting protection, plus (from arkenfoxās wiki):
if a fingerprinting script should run, it would need to be universal or widespread (i.e it uses the exact same canvas, audio and webgl tests among others - most arenāt), shared by a data broker (most arenāt), not be naive (most are) and not be just first party or used solely for bot detection and fraud prevention (most probably are)
I also donāt get what the difference between typing private stuff on facebook on tor or behind a vpn or on your ISPās network is. however I must say that I still understand why from a āpeace of mindā perspective it makes sense to keep stuff isolated, so as I said above mine is not really a strong opinion here.
sorry about typing a lot, but I figured this was valuable information to share, despite being nothing new.
I will start by saying that the author of the article was a tor researcher and dev so this gives some context on the content and me posting this.
which is a very risky thing to do for someone not familiar
may I ask why? I generally agree with the sentiment of the article but I donāt have a very strong opinion on this and maybe Iām missing something.
PS I donāt think the usual āI will end up in a list of people who use Torā argument is a valid one.
Preferring JavaScript stay disabled is a better choice, the next best is only allowing JavaScript when needed momentarily.
I disagree with this, itās simply overkill for 99% of the people with arguably no benefit at all. whatās there to gain?
it is likely that the app is not actually damaged, on M1 macs gatekeeper is far more aggressive and apple really wants devs to pay for notarization.
see a comment on the issue from the devs, and a possible workaround (the quarantine part for M1). as the maintainer of a project on osx I share their sentiment, itās fucked upā¦
itās about the traffic fingerprint more than anything IMO; for example, to an external observer it would be very obvious that some domains are not being loaded.
itās worth noting that all Tails users look (looked? IDK if they still ship uBO with TB) the same as they all had uBO included, so Tails had their own user bucket.