[tor-talk] Spoofing a browser profile to prevent fingerprinting
Joe Btfsplk
joebtfsplk at gmx.com
Tue Jul 29 18:29:22 UTC 2014
On 7/29/2014 12:16 AM, Ben Bailess wrote:
> There are some built-in protections in TBB that keep honored requests for
> known fingerprinting data to a minimum, so the TBB does not function like a
> normal browser in this instance.
>
> It most notably limits the high entropy factors -- responses for fonts and
> plugin microversions. And as long as you obey the nice Tor devs and don't
> install any additional plugins, then plugin microversions won't be
> unique/identifiable either. *So enabling JS really isn't quite as big* of a
> step out into the light as it would be in say Chromium or Firefox, which
> has no protections against HTML5 canvas fingerprinting (or anything by
> default) for instance.
[Emphasis Added]. Don't know about enabling JS not being "big."
This isn't a "feeling" topic or discussion (general statement, not aimed
at anyone).
Either we use facts (as best understood) to make decisions on this, or
we don't.
I'm no expert on fine details of this, but over a long time of checking
TBB, Firefox, JonDo Fox, etc., on multiple test sites, it's always clear
that far more info is available when JS is enabled.
The EFF says ~ 33 bits of identifying info (ii) are needed to accurately
identify the same browser / machine at multiple sites.
Even if that's just a ball park figure, when I visit Panopticlick,
BrowserSpy.dk & others (many times, many browser versions, spread out
over a yr +) , the difference in bits ii when JS is enabled or disabled,
goes from well below 33 bits (in mid 20's) to well over 40 bits.
It's the same in vanilla Fx.
In vanilla Fx & NoScript - JS disabled, test sites might show * 24 bits
of ii *. Nearly as good as TBB w/ JS disabled. Well under EFF's
threshold to accurately identify a browser / device.
Enable JS in vanilla Fx & it shoots to * > 43 bits ii * (again,
essentially the same as TBB under same scenario).
That appears to mean that vanilla Fx & NoScript w/ JS disabled, is no
more * identifiable * as "the same browser" than TBB w/ JS disabled.
So either EFF's (& others) estimation on what's needed to identify a
browser is considerably off, or enabling JS is a * BIG * deal.
>
> So if allowing at least some JavaScipt is inevitable, then I think the Tor
> devs have the right idea -- assume that some use of JS is a foregone
> conclusion and protect the users from the additional exposure to
> fingerprinting in a way that makes them all look as similar as possible.
>
> If the user prefers to have more privacy / security by forsaking some
> anonymity by disabling JavaScript and thereby making him/herself
> identifiable as a smaller subset of overall Tor Browser users, that's
> his/her option.
Yes, in a smaller subset. But, what good is being in a larger set of
Tor users (that leave JS enabled), if doing so allows sites / trackers
to clearly identify the same browser at multiple sites, or even end to
end of Tor circuits, for advanced adversaries?
"Hiding" in a crowd, where you're still clearly identifiable doesn't
make much sense.
Back to one main school of thought: * an adversary needs X bits of
identifying info * to accurately identify the same browser at multiple
sites, or end to end in Tor circuits.
Do you want to be in a large crowd, where everyone reveals well over the
required bits ii needed to accurately identify each one?
Or be in a smaller crowd, but users can't be individually identified -
end to end, or site to site?
Unless this business of "necessary bits of identifying info to identify
the same browser" is inaccurate & blown out of proportion.
That's where I have to rely on * real * experts. Not on feelings or
supposition.
Either the results from repeated tests I've done, separated by many
months, are meaningful or they're not.
Either ~ 33 bits of info (or anything close) will allow identifying a
browser, or it won't.
> But in that instance, said user should probably be using
> Tails to remedy those sorts of problems since Tails addresses even more
> fingerprinting issues.
>
If Tails, or any other means is needed to provide anonymity (while still
being able to actually use the web), then those should be a part of Tor
/ TBB.
Unless the only goal is to hide destinations from ones ISP, then
providing only part of what's needed in TBB for reasonable anonymity is...
*"Here's a browser / network that'll hide your IPa. BTW, if you use it
w/ JS, you can be identified at each end of a circuit and at each website."*
More information about the tor-talk
mailing list