Delivery-Date: Tue, 29 Jul 2014 05:11:57 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.7 required=5.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED,FREEMAIL_FROM,RCVD_IN_DNSWL_MED,RP_MATCHES_RCVD,T_DKIM_INVALID
	autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 566DF1E042E
	for <archiver@seul.org>; Tue, 29 Jul 2014 05:11:55 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 5C29B2FAEE;
	Tue, 29 Jul 2014 09:11:53 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 1B5D0305DF
 for <tor-talk@lists.torproject.org>; Tue, 29 Jul 2014 09:00:17 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at eugeni.torproject.org
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id VQ4aE1bzwyH4 for <tor-talk@lists.torproject.org>;
 Tue, 29 Jul 2014 09:00:17 +0000 (UTC)
Received: from mail-we0-x233.google.com (mail-we0-x233.google.com
 [IPv6:2a00:1450:400c:c03::233])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id BEAAD3047C
 for <tor-talk@lists.torproject.org>; Tue, 29 Jul 2014 09:00:16 +0000 (UTC)
Received: by mail-we0-f179.google.com with SMTP id u57so8563591wes.24
 for <tor-talk@lists.torproject.org>; Tue, 29 Jul 2014 02:00:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=message-id:date:from:user-agent:mime-version:to:subject:references
 :in-reply-to:content-type:content-transfer-encoding;
 bh=+v0vg0a2cPCwCguhlEJm4GiTAgOFyS5UFhZoqR8Y8WA=;
 b=I6rUDm85j1fMssZxKNOj1iZKEpjCwQnmgArYNVsH4lrwg7WIMLTnHGxj6aC37LiloV
 JM05lUfwZ/Q03hpNCbMfebn46ciwwUdB7SFo846xOIXwaguTEMhem4aCBytbGfSR0uhS
 kUMpxmOW669ps8t7TY/g3J+xEjWa5yB3yR4uPMtNb18lZsYb75SY0KakuJ2Kf0ef2+P+
 ijyTmkfp8Nwa3J0hZ4GS4CZA2aaiTZwr4wke9KLkPkr9ASPx6NUDD/89FtpkTuHe7kGi
 63xo+6A0evW9idvSlj+dulrq1rHU2sE4FkUjg6AYUyPN4VT1U9gjfdF52tbe5z8BNlrT
 XG8g==
X-Received: by 10.180.39.73 with SMTP id n9mr4179883wik.70.1406624412377;
 Tue, 29 Jul 2014 02:00:12 -0700 (PDT)
Received: from [192.168.1.11] (ANice-652-1-287-104.w86-203.abo.wanadoo.fr.
 [86.203.222.104])
 by mx.google.com with ESMTPSA id ca8sm15071723wjc.0.2014.07.29.02.00.11
 for <tor-talk@lists.torproject.org>
 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
 Tue, 29 Jul 2014 02:00:11 -0700 (PDT)
Message-ID: <53D7629D.2090701@gmail.com>
Date: Tue, 29 Jul 2014 11:00:13 +0200
From: Aymeric Vitte <vitteaymeric@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.3;
 rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: tor-talk@lists.torproject.org
References: <53D3F004.6070209@yandex.ru> <53D412F9.4030107@googlemail.com>
 <53D6B3F0.8030706@yandex.ru> <53D6E666.9070108@gmx.com>
In-Reply-To: <53D6E666.9070108@gmx.com>
Subject: Re: [tor-talk] Spoofing a browser profile to prevent fingerprinting
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

If think the issue is quasi unsolvable, unless you request "the Web" to =

revert to something clean and remove whatever it has invented to track =

and fingerprint you, that's not really an issue about js, that's an =

issue about major specifications leaded by major companies specifying =

what fit to their needs.

Or unless you use something like http://www.ianonym.com, it was designed =

to defeat all forms of tracking/fingerprinting with the fake domain =

concept and hide your destination even with https.

Since it takes control over the whole web page, the js interactions are =

sandboxed with a script to "tame" the page, a prototype was working but =

maybe it's a bit too complicate...

Regards


Le 29/07/2014 02:10, Joe Btfsplk a =E9crit :
> On 7/28/2014 3:34 PM, Craw wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Thank you for your answer!
>>
>> I've just thought a bit about various methods to prevent
>> fingerprinting browser profile (incl. UA/screen resolution/time
>> zone/fonts/etc.), and here is two ways I've found:
>>
>> a) all tor-users have the same browser profile
>> b) all tor-users have random temporary browser profile
>>
>> In my opinion our current strategy to reduce among all tor-users
>> fingerprintable differences is correct. In such case the only that can
>>   an attacker do to determine one user from other is their Tor IP
>> address, but if you will often change between them it becomes
>> impossible for the attacker.
>> And for variant b), it's much easier to do. A lot of users connect to
>> web-sites from one exit-relay and have the same Tor IP address, but
>> different profiles. So even if you will randomly generate new profile
>> every minute, you have your unique profile so the attacker can easily
>> determine: this actions made by different users. In contrary, when
>> everybody has the same profile, it's much harder to do.
>>
>>
> This is all interesting, but I'm still concerned that the use / non =

> use / intermittent use of java script still stares TBB users in the face.
>
> And it seems like the family secret no one wants to discuss.
> As outlined in the TBB FAQ, there are distinct drawbacks - no matter =

> how js is approached.
> Whether it's always allowed, (almost) never allowed, or configured per =

> site - all 3 have distinct cons.
>
> One problem is, there's no "ruling" from Tor devs.  One reason for =

> that is disabling it breaks lots of sites.
>
> But unless the MUCH greater amount of fingerprinting data that's =

> available when JS * IS * enabled is not enough to be concerned about =

> (I can't imagine that), then it may not matter how well * some *other =

> data are concealed.
> Plus, unless you go to only a few sites that require no JS, you have =

> to turn it on - at least some.
> But, enabling JS allows sites to get FAR more info & allows trackers =

> to compare that fingerprint to other sites you visit (unless you =

> change the fingerprint between each site).
>
> And supposedly leaving JS off (if possible) distinguishes you from =

> other TBB users that leave NoScript at the default setting.
>

-- =

Peersm : http://www.peersm.com
torrent-live: https://github.com/Ayms/torrent-live
node-Tor : https://www.github.com/Ayms/node-Tor
GitHub : https://www.github.com/Ayms

-- =

tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

