browser fingerprinting - panopticlick

7v5w7go9ub0o 7v5w7go9ub0o at gmail.com
Sat Jan 30 17:42:51 UTC 2010


Andrew Lewman wrote:
> On 01/29/2010 08:20 PM, 7v5w7go9ub0o wrote:
>> As we slowly transition to web 2.0, probably the next step is 
>> putting the TOR browser in a VM full of bogus, randomized 
>> userid/sysid/network information - carefully firewalled to allow 
>> TOR access only (TOR would be running somewhere outside the browser
>>  VM).
> 
> Already working on that, https://www.torproject.org/torvm/ or pick a
>  live cd with tor integrated into it.
> 

Good to see these projects being developed. IIUC, the TORVM is a tor client;
so the TORVM is designed for easy installation, and perhaps to contain
any exploit of TOR!?

Guess I was thinking of a different approach: putting Firefox in a VM
and just letting it go ahead and get crazy with flash, JS, cookies (.. I
have tired of tweaking NoScript, RequestPolicy, and CS Lite all the
time.....).   TOR is running in a chroot jail on the "regular" OS,
connected by network.

JS/Flash will presumably look for unique or geographic information
within the VM and will get only bogus stuff which is cleaned and
randomized every few minutes, along with cookies and caches. DNS is
"unbound", elsewhere on the internal network, and has protection against
many of the "DNS tricks". FWICT the obtainable network information all
reflects the virtual Ethernet.

Any "infections" would be temporary, as the VM is set to make temporary
changes only; am using VNC to control it and to transfer any permanent
data back and forth between it and the "regular" OS.

I suspect others have similar approaches under way!?   It would be nice
to have a list somewhere of all of the "compromising" files and data
available to flash/silverlight/JS - by OS - so that those running VMs
know what to randomize (I presume Linux would be easier to contain than
Windows).









***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/



More information about the tor-talk mailing list