Delivery-Date: Fri, 25 Jul 2014 11:12:01 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.3 required=5.0 tests=BAYES_00,FREEMAIL_FROM,
	FROM_LOCAL_NOVOWEL,RCVD_IN_DNSWL_MED,RP_MATCHES_RCVD autolearn=ham
	version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id C58181E0240
	for <archiver@seul.org>; Fri, 25 Jul 2014 11:11:58 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id D0EE02FFAD;
	Fri, 25 Jul 2014 15:11:54 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 223F7300DD
 for <tor-talk@lists.torproject.org>; Fri, 25 Jul 2014 15:05:45 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at eugeni.torproject.org
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id nH8nSMVm6lFR for <tor-talk@lists.torproject.org>;
 Fri, 25 Jul 2014 15:05:45 +0000 (UTC)
Received: from mout.gmx.com (mout.gmx.com [74.208.4.201])
 (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by eugeni.torproject.org (Postfix) with ESMTPS id 02CA92FE84
 for <tor-talk@lists.torproject.org>; Fri, 25 Jul 2014 15:05:44 +0000 (UTC)
Received: from [127.0.0.1] ([99.190.181.188]) by mail.gmx.com (mrgmxus001)
 with ESMTPSA (Nemesis) id 0LzL2l-1WOafM3kUD-014VGF for
 <tor-talk@lists.torproject.org>; Fri, 25 Jul 2014 17:05:42 +0200
Message-ID: <53D2724C.8050306@gmx.com>
Date: Fri, 25 Jul 2014 10:05:48 -0500
From: Joe Btfsplk <joebtfsplk@gmx.com>
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64;
 rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: tor-talk@lists.torproject.org
References: <53CE494A.90002@bitmessage.ch> <53CF68FB.80105@torproject.org>
 <53CFFB16.1040701@gmx.com> <53D0CAC5.2040305@torproject.org>
 <53D12294.2040900@gmx.com> <53D1FFCE.7020303@torproject.org>
In-Reply-To: <53D1FFCE.7020303@torproject.org>
X-Provags-ID: V03:K0:AO/z7fdIwydKF/Ac1ZfT6SfwUWfvIRc9gpyOCllG/fn7sXos5/f
 SSoRMAaHs5rL/dNkUa/eO/aUzhrJJiiLB1E7xxjgddgkG9CdjnHrWYcsUjrJApRu9lVfDAD
 aLmIonlMcAMDjMbKTFkuSHnEOTshS5bPsnnkGFXpIhRqPAaXBt9gMVFOg+KrRcgkIRk+Zlv
 awrI1pjL0DU7K4RbdTfJg==
X-Content-Filtered-By: Mailman/MimeDel 2.1.15
Subject: Re: [tor-talk] Tor Browser window size
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

On 7/25/2014 1:57 AM, Georg Koppen wrote:
> Joe Btfsplk:
>> On 7/24/2014 3:58 AM, Georg Koppen wrote:
>>> Joe Btfsplk:
>>>> Should TBB always start in partial window size?
>>> It depends on your available screen size. But in almost all cases, yes,
>>> TBB should always start in partial window size at least until we find a
>>> good way to deal with maximized browser windows (see e.g.:
>>> https://bugs.torproject.org/7256).
>> Thanks Georg,
>> Clearly I've forgotten or never knew why (partial) TBB window sizes can
>> be spoofed, but standard multiples for maximized TBB windows *can't* be
>> spoofed, instead.
>>
>> ? Don't a "majority" of users maximize something like browsers, for
>> general use?  I've never seen it mentioned that most users leave TBB in
>> partial screen.
>> I wouldn't think TBB (window size) would be used differently than
>> regular browsers (a result of human habit).
>>
>> I rarely see people using browsers in partial size, unless doing some
>> between app operation / comparison.  I'm talking about what the masses do.
>>>> Vanilla Firefox starts in maximized mode, if that was the state when
>>>> closed (I think).
>>>> TBB always starts in partial screen mode, even if last closed while in
>>>> full screen.  Many apps remember the last screen size.
>>>> Is there an anonymity reason to have TBB  start in partial screen?
>>> Not per se, but see https://bugs.torproject.org/7256 for the issue that
>>> still needs to get solved first.
>>>
>> I don't understand your last statement in relation to the bug you linked:
> It meant that there is no inherent anonymity reason to start TBB in
> partial screen mode. The reason we do that now is that it is the only
> way we currently can sort of guarantee that the window dimensions
> reported back to a website are properly rounded. Bug 7256 tracks one
> idea that would cover maximized windows as well.
>
> Georg
>
Thanks.  Again, Mike Perry commented in #7256,
"/...this potentially leaks information for users who maximize their 
browser windows.../"
Which raises the question, what % of users DON'T maximize (most) 
browsers they use, a good part of the time?
This all seems to ignore how a large % of users actually use a browser.

But, Mike says maximizing browser window potentially leaks info (as if ? 
most users don't maximize?); you say, "not per se."

I read # 7256 several times & other related bugs.  Many have reported in 
several bugs, their TBB testing results under various scenarios at 
different browser testing sites.

Using TBB maximized - significantly - increases fingerprinting entropy 
for screen and / or window size, for me & others reporting on it.

Enabling JS for the current page's domain - only - increases total bits 
of identifying info (bits ii) for TBB way, *way over* the threshold of 
33 bits ii, that EFF.org says is needed to accurately identify a user 
(their browser, device) at different websites.

Yet, unless only visiting sites like blogs, most sites now perform 
poorly w/o JS enabled in NoScript, at least for their own domain (no 3rd 
party).
So, you can turn off JS & be much more anonymous, but not be able to use 
a huge part of sites.  Or judiciously turn JS on & be identifiable.  
Does that about sum it up?

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

