[tor-talk] Making TBB undetectable!

[Spencer]

Hi,

>> 
>> Spencer:
>> Is a 'Natural Fingerprint' like a clearnet fingerprint, in that it 
>> identifies you as
>> a regular, >non-tor, internet user, making you part of the larger 
>> herd?
>> 
> 
> behnaz Shirazi:
> I don't understand what do you mean by “clearnet fingerprint” ?
> 

I have been defining fingerprint as any bit of info that can identify 
you, which can be any number of things.  I have been defining clearnet 
fingerprint as the identifying bit of info defining someone as a 
clearnet user, such as a common User Agent.

> 
> Fingerprint is generated locally inside the browser, it is about TBB
> not the onion routers.
> 

This would be a Tor Browser fingerprint, but I understand you mean 
fingerprinting of Tor Browser to differentiate between Tor Browser 
users.

> 
> Connecting to a website directly or via a
> public Tor exit node as proxy gives one bit of information (true or
> false flag) to destination website but we don't include this bit in
> the fingerprinting attack.
> 

By choice, though, yeah?  It still seems valuable.

>> 
>> I see this as a blocker, as this add-on is most likely detectable, 
>> yeah?
>> 
> 
> As far as I know you can't fetch installed Add-ons by javascript, it
> only works for plugins. Detecting
> Add-ons is done by side channel attacks.
> 
> We just change details a browser return to calls in a way that caller
> can't recognize it is telling the truth or not.
> of course it
> won't cause a detection if user choose a mobile device profile
> 

Interesting.

You should draft this into a proposal, with some visuals of the 
interface and experience flows, and submit it to the list in search for 
a developer, unless you can bust this out yourself?  I can help anyway 
that I can.  If you are interested, hit me up off-list.

Otherwise, unless there is something more tangible, I feel like people 
will keep arguing that Tor is fine as-is :)

Wordlife,
Spencer