Delivery-Date: Mon, 28 Jul 2014 20:12:00 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.3 required=5.0 tests=BAYES_00,FREEMAIL_FROM,
	FROM_LOCAL_NOVOWEL,RCVD_IN_DNSWL_MED,RP_MATCHES_RCVD autolearn=ham
	version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id DC6371E0DEC
	for <archiver@seul.org>; Mon, 28 Jul 2014 20:11:58 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 5DA6E2E92E;
	Tue, 29 Jul 2014 00:11:58 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id A111A2FE57
 for <tor-talk@lists.torproject.org>; Tue, 29 Jul 2014 00:10:39 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at eugeni.torproject.org
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 0r6MNeGitEh2 for <tor-talk@lists.torproject.org>;
 Tue, 29 Jul 2014 00:10:39 +0000 (UTC)
Received: from mout.gmx.com (mout.gmx.com [74.208.4.200])
 (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by eugeni.torproject.org (Postfix) with ESMTPS id 77D212FD17
 for <tor-talk@lists.torproject.org>; Tue, 29 Jul 2014 00:10:39 +0000 (UTC)
Received: from [127.0.0.1] ([99.190.181.188]) by mail.gmx.com (mrgmxus001)
 with ESMTPSA (Nemesis) id 0LaX29-1WmB191hGh-00mGYR for
 <tor-talk@lists.torproject.org>; Tue, 29 Jul 2014 02:10:36 +0200
Message-ID: <53D6E666.9070108@gmx.com>
Date: Mon, 28 Jul 2014 19:10:14 -0500
From: Joe Btfsplk <joebtfsplk@gmx.com>
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64;
 rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: tor-talk@lists.torproject.org
References: <53D3F004.6070209@yandex.ru> <53D412F9.4030107@googlemail.com>
 <53D6B3F0.8030706@yandex.ru>
In-Reply-To: <53D6B3F0.8030706@yandex.ru>
X-Provags-ID: V03:K0:9iITogaBOt/kXmDqmwke6qCDNLCIvem+F3ZY416PEjp1L8I+t4k
 BYVFs/IIaKf0N/MY01x1x8PguED9DtuMs1y68E6W+dTqD1QeNbd7JvDPoQeHm00jVDZxW0M
 UaGTD3074FnCAgnA8H65gW4GxX2ku/Alv9YRpFJQ41lfYGyZ27dW+YBiDNc81a7wYaQ9PHw
 RIm/SdRj+p+WNIreXqV2Q==
X-Content-Filtered-By: Mailman/MimeDel 2.1.15
Subject: Re: [tor-talk] Spoofing a browser profile to prevent fingerprinting
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

On 7/28/2014 3:34 PM, Craw wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Thank you for your answer!
>
> I've just thought a bit about various methods to prevent
> fingerprinting browser profile (incl. UA/screen resolution/time
> zone/fonts/etc.), and here is two ways I've found:
>
> a) all tor-users have the same browser profile
> b) all tor-users have random temporary browser profile
>
> In my opinion our current strategy to reduce among all tor-users
> fingerprintable differences is correct. In such case the only that can
>   an attacker do to determine one user from other is their Tor IP
> address, but if you will often change between them it becomes
> impossible for the attacker.
> And for variant b), it's much easier to do. A lot of users connect to
> web-sites from one exit-relay and have the same Tor IP address, but
> different profiles. So even if you will randomly generate new profile
> every minute, you have your unique profile so the attacker can easily
> determine: this actions made by different users. In contrary, when
> everybody has the same profile, it's much harder to do.
>
>
This is all interesting, but I'm still concerned that the use / non use 
/ intermittent use of java script still stares TBB users in the face.

And it seems like the family secret no one wants to discuss.
As outlined in the TBB FAQ, there are distinct drawbacks - no matter how 
js is approached.
Whether it's always allowed, (almost) never allowed, or configured per 
site - all 3 have distinct cons.

One problem is, there's no "ruling" from Tor devs.  One reason for that 
is disabling it breaks lots of sites.

But unless the MUCH greater amount of fingerprinting data that's 
available when JS * IS * enabled is not enough to be concerned about (I 
can't imagine that), then it may not matter how well * some *other data 
are concealed.
Plus, unless you go to only a few sites that require no JS, you have to 
turn it on - at least some.
But, enabling JS allows sites to get FAR more info & allows trackers to 
compare that fingerprint to other sites you visit (unless you change the 
fingerprint between each site).

And supposedly leaving JS off (if possible) distinguishes you from other 
TBB users that leave NoScript at the default setting.

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

