News Feed
  • DrugHub has agreed to fully refund all users who lost money in the SuperMarket exit scam.  
  • Retro Market has gone offline. Circumstances of the closure unknown.  
  • SuperMarket has closed following an exit scam by one of the admins.  
  • The admin of Incognito Market, Pharoah, has been arrested by the FBI several months after exit scamming.  
  • Silk RoadTorhoo mini logo
  • darknet markets list
  • Popular P2P exchange LocalMonero has announced it is closing.  

About:Config Configuration : OpSec | Torhoo darknet markets

Aware that I need to turn:
"javascript.enabled" __ from "true" to "false"

What else do I need to do?

Looking for the best OPSEC help

Aware that it changes slightly with each Tor update
/u/spacecake
4 points
6 days ago

1
Awards Received
Bag of Sand
1
/post/8efe6154e761c03f6fbb
Be aware that changing much skews your fingerprint and makes you stand out.
It's a tradeoff between security and blending in.
/u/Cornucopia
1 points
6 days ago
+1 to this
/u/Silent_Cal 🍼 P
1 points
6 days ago
Thank you for qualifying that. Probably better to fit in than stand out.
/u/spacecake
1 points
6 days ago
There was never a one-size-fits-all solution but one must make an informed decision as to what fits best his threat model.
/u/CoffeeRuns223 📢 🍼
1 points
6 days ago
What is the best way to go about evaluating my threat model?
/u/spacecake
1 points
6 days ago*
Ask yourself the questions:

Who is my potential adversary ?
LE, oppressive government, three letter agencies, scammers, doxxers....

What is your profile ?
Buyer, bulk buyer, shitposter, vendor, bulk vendor, market operator, pedo scum, terrorist...

These all will have to incorporate different opsec measures.
/u/AutoModerator M
1 points
6 days ago
[removed by moderators]
/u/spacecake
1 points
6 days ago
I'll just hit the blunt, Automod.
Thank you !
/u/Ghwbushsr
1 points
6 days ago
i always thought js was disabled in "safest" mode. so it's actually enabled? wtf

would it not be better to not be able to be fingerprinted in the first place with it disabled?
/u/spacecake
1 points
6 days ago
Yes, it stays enabled even in safest mode.
It is only partially disabled without explicitly setting "javascript.enabled" to "false".
You probably forget that we are just a tiny fraction of Tor Browser's user base.
Disabling javascript by default will break a lot of stuff - think sites that are not specifically designed with not using javascript in mind.
And ultimately that would interfere with the whistleblowers and people from oppressive regimes etc ability to surf the web - the majority of the user base.
/u/Ghwbushsr
1 points
6 days ago
i mean at the end of the day you can always enable shit as you go for certain pages that you need it
/u/spacecake
1 points
6 days ago
True that.
But if you went overboard with the settings it could take quite a while to find what breaks which lol
/u/Ghwbushsr
1 points
6 days ago*
I was just thinking that one single setting

also, there's a box to check "show only modified."
/u/CoffeeRuns223 📢 🍼
1 points
6 days ago
Thank you for linking this post but I have already seen it
It is over 7 months old and some cmds no longer exist and was hoping to see an updated list for max OPSEC measures

That said I also am curious if disabling java like said in the post and putting tor on the safest setting enough for basic use?
/u/spacecake
1 points
6 days ago*
Yes, it's a bit old but most of the settings mentioned are still valid.
To my knowledge there is no other more current list.

was hoping to see an updated list for max OPSEC measures

If you want to really go down that rabbit hole it would involve custom hardening and tweaking with settings from projects like arkenfox.js on github and Librewolf.
That would bring much more security but also means that ultimately you will stand out like a sore thumb.
That custom config will have super unique fingerprint.

It all boils down to what you want to achieve - blend in or be more resistant to niche attack vectors.

That said I also am curious if disabling java like said in the post and putting tor on the safest setting enough for basic use?

Yes, that would be enough for basic use, shopping and casual communication on Dread.
Make sure WebRTC and WebGl are disabled for a good measure too if you feel especially paranoid :P
I think WebRTC actually should be disabled by default.
/u/bulgurspied 🍼
1 points
6 days ago
Hello,
which webrtc and webgi to disable please?
/u/spacecake
1 points
6 days ago
webgl.disabled = true
webgl.disable-wgl = true
media.peerconnection.enabled = false
/u/deanonymize 🍼
1 points
6 days ago
Turning off javascript.enabled is a start but don't stop there.

Most fingerprinting comes from the combination of settings, not single ones. If you start changing too much in about:config, you create a unique fingerprint that stands out more than the default.

Tor Browser is hardened by design. If your threat level is high, better to disable JS completely and avoid all JS-reliant sites. Otherwise, stay within security level "Safer" or "Safest" in Tor settings it disables JS per site anyway.

Other config keys people mess with (and shouldn't unless they fully understand implications):

webgl.disabled = true

media.peerconnection.enabled = false (disables WebRTC)

media.navigator.enabled = false

geo.enabled = false

network.http.referer.XOriginPolicy = 2

privacy.resistFingerprinting = true (enabled by default)

Do NOT modify config unless you're running isolated, non personal VM environments. Custom tweaks are fine inside Whonix or Tails, but if you use your daily driver, you risk leaking everything.

If you're paranoid, do this:

Use Tails for buys (burn session)

Use Kicksecure/Whonix for persistent ops

Never store anything on disk

Never use bookmarks or logins

And don't overestimate about:config OpSec is the full stack, not browser tweaks.

Stay sharp.
  • Sponsors
VigorSwap Instant Crypto Exchange
FraudGPT

  • Explore Torhoo!

© Torhoo! 2025

All links are for educational and research purposes only. Torhoo! does not vouch for any site.

Advertise on Torhoo