[tor-talk] Spoofing a browser profile to prevent fingerprinting
Craw
paulus.smirnov at yandex.ru
Sat Jul 26 18:14:28 UTC 2014
Hello everybody,
You know, there are some various methods of fingerprinting a browser.
Plugins and plugin-provided information are still the most useful in
uniquely identifying a browser, but there are also some other
information that can be used to fingerprint a Tor user, like user
agent, screen resolution, time zone, etc.
I think it can be helpful to spoof real browser profile to random
temporary one. Each browser profile includes user-agent (browser
name/version), platform (OS name/version), screen resolution, time
zone (depends on country of an exit-relay, so, perhaps, mismatch of it
can cause suspicion?). So, my suggestion is to generate random browser
profile during each identity session, or randomly switch them after a
chosen period of time has expired. By making this, some important info
about users will be unreachable for an attacker and fingerprinting
will be more difficult.
Here's a link on open-source repository of Firefox add-one which code
we can use for Tor Browser -
https://github.com/dillbyrne/random-agent-spoofer
Also I suggest to:
- forbid HTML5 Canvas by default
(http://cseweb.ucsd.edu/~hovav/dist/canvas.pdf)
- use only standard font set (can be used for fingerprinting)
- set network.http.sendRefererHeader value "0" by default (allows
sites to track referer, but some sites can be broken! add ability to
switch on/off referer?)
Let me know about your thoughts,
Looking forward to hear from you, Pavel.
More information about the tor-talk
mailing list