[tor-talk] Spoofing a browser profile to prevent fingerprinting
Georg Koppen
gk at torproject.org
Wed Jul 30 06:44:40 UTC 2014
Mirimir:
> With scripts allowed globally, Panopticlick sees another 2-3 bits. I
> suspect that much of the additional information is also the same for all
> Tor browsers, given what I've read about Tor-specific tweaks. If that's
> the case, this isn't a major issue.
That's not necessarily the case. But anyway, the current Panopticlick is
not a good way to test for Tor Browser uniqueness[1] (and see below).
> What is a major issue is the risk of being exploited through a
> JavaScript vulnerability. And that's why I always block scripts.
Note that we disable a bunch of JIT related preferences to mitigate that
risk[2] and are investing efforts in getting hardened builds deployed[3].
> The risk from doing that, of course, is that each user will tend to
> customize their NoScript profile in a distinct way. And that will allow
> websites to tell them apart.
>
> Even so, Panopticlick can't report anything about that. For that, one
> would need a version of Panopticlick that's restricted to assessing and
> comparing Tor browser profiles. Right?
Yes. There are plans for one which is helpful in this regard[4][5].
Georg
[1] https://bugs.torproject.org/6119
[2] https://bugs.torproject.org/9387#comment:17
[3] https://bugs.torproject.org/10599
[4] https://www.torproject.org/getinvolved/volunteer.html.en#panopticlick
[5] https://lists.torproject.org/pipermail/tor-dev/2014-March/006486.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20140730/8716db20/attachment.sig>
More information about the tor-talk
mailing list