Delivery-Date: Tue, 29 Jul 2014 21:57:17 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED,RP_MATCHES_RCVD,T_DKIM_INVALID,UNPARSEABLE_RELAY
	autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id AE0B41E0A32
	for <archiver@seul.org>; Tue, 29 Jul 2014 21:57:15 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id BAD083079F;
	Wed, 30 Jul 2014 01:57:14 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 8E80530744
 for <tor-talk@lists.torproject.org>; Wed, 30 Jul 2014 01:48:33 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at eugeni.torproject.org
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id XlckH79gmThO for <tor-talk@lists.torproject.org>;
 Wed, 30 Jul 2014 01:48:33 +0000 (UTC)
Received: from mx1.riseup.net (mx1.riseup.net [198.252.153.129])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client CN "*.riseup.net", Issuer "Gandi Standard SSL CA" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id 68E7F2E402
 for <tor-talk@lists.torproject.org>; Wed, 30 Jul 2014 01:48:33 +0000 (UTC)
Received: from fruiteater.riseup.net (fruiteater-pn.riseup.net [10.0.1.74])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client CN "*.riseup.net", Issuer "Gandi Standard SSL CA" (not verified))
 by mx1.riseup.net (Postfix) with ESMTPS id 9ABF65861C
 for <tor-talk@lists.torproject.org>; Tue, 29 Jul 2014 18:48:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=riseup.net; s=squak;
 t=1406684910; bh=5adzR2yYFidlx/dt9UhwM83a915q8jO/SMcsV3RLaQc=;
 h=Date:From:To:Subject:References:In-Reply-To:From;
 b=eEl85P9DIB8GDE/3svDRLsRp6x+aW4uvsgeCvgTQA3BlfrwHsD2t+qewDHSYD7IPo
 CxrF7RetVcEXkuojGun5DHJEfPUVhfsmloYFE5uxeg/oDZn4ClyugjEwnbygkoNPAU
 spS/inFVVfa3Y3OGCKaQiPdP9UWMGrVUzp949brQ=
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (Authenticated sender: mirimir@fruiteater.riseup.net)
 with ESMTPSA id 986ABE86
Message-ID: <53D84EDD.6080505@riseup.net>
Date: Tue, 29 Jul 2014 19:48:13 -0600
From: Mirimir <mirimir@riseup.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
 rv:31.0) Gecko/20100101 Thunderbird/31.0
MIME-Version: 1.0
To: tor-talk@lists.torproject.org
References: <53D3F004.6070209@yandex.ru> <53D412F9.4030107@googlemail.com>
 <53D6B3F0.8030706@yandex.ru> <53D6E666.9070108@gmx.com>
 <CACf9JSVq5GT+GEysOs0oGBBUy52Nq3XpWsL4j4FD0EAk9RDuPw@mail.gmail.com>
 <53D7E802.8020700@gmx.com>
 <CACf9JSXgFag6Ky3F+TmTqqsx2ScpJTggnU-FDz9yd4zAX=qM1Q@mail.gmail.com>
 <53D83740.7050901@gmx.com>
In-Reply-To: <53D83740.7050901@gmx.com>
X-Enigmail-Version: 1.6
Subject: Re: [tor-talk] Spoofing a browser profile to prevent fingerprinting
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

I don't get that EFF's Panopticlick entropy and uniqueness estimates are
relevant to discussing Tor anonymity.

With the latest Tor browser in a Crunchbang 11 x64 VirtualBox VM without
guest extensions (rather unusual right there) I get 11.29 bits (one in
2,505) with default NoScript "Allow Scripts Globally". That's very close
to Ben's 12.06 bits (one in 4,260).

With NoScript toggled to "Forbid Scripts Globally", I get exactly what
Ben got: 9.05 bits (one in 529). And by the way, that's not the sum of
the individual browser characteristic results. As Joe notes, they're
mostly 1.75 bits, because Panopticlick can't determine them. And the
overall estimate seems to largely ignore them.

From the results with scripts blocked, I conclude that Panopticlick sees
the same fingerprint from all Tor browsers that have NoScript blocking
all scripts. The "one in 529" arguably reflects the share of visitors
who are using Tor browser. It says nothing about differences between Tor
browsers.

With scripts allowed globally, Panopticlick sees another 2-3 bits. I
suspect that much of the additional information is also the same for all
Tor browsers, given what I've read about Tor-specific tweaks. If that's
the case, this isn't a major issue.

What is a major issue is the risk of being exploited through a
JavaScript vulnerability. And that's why I always block scripts.

The risk from doing that, of course, is that each user will tend to
customize their NoScript profile in a distinct way. And that will allow
websites to tell them apart.

Even so, Panopticlick can't report anything about that. For that, one
would need a version of Panopticlick that's restricted to assessing and
comparing Tor browser profiles. Right?
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

