Delivery-Date: Wed, 30 Jul 2014 02:57:02 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id B3E281E0875
	for <archiver@seul.org>; Wed, 30 Jul 2014 02:57:00 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id D6CCF30514;
	Wed, 30 Jul 2014 06:56:58 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 913EB304FC
 for <tor-talk@lists.torproject.org>; Wed, 30 Jul 2014 06:45:10 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at eugeni.torproject.org
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id Bpv5dGRL9iPc for <tor-talk@lists.torproject.org>;
 Wed, 30 Jul 2014 06:45:10 +0000 (UTC)
Received: from bilestoad.getfoxyproxy.org (bilestoad.getfoxyproxy.org
 [162.243.99.25])
 by eugeni.torproject.org (Postfix) with ESMTP id 6EA4626AD3
 for <tor-talk@lists.torproject.org>; Wed, 30 Jul 2014 06:45:10 +0000 (UTC)
Received: from [0.0.0.0] (unknown [188.226.245.77])
 by bilestoad.getfoxyproxy.org (Postfix) with ESMTPSA id A05A0123170
 for <tor-talk@lists.torproject.org>; Wed, 30 Jul 2014 06:45:05 +0000 (UTC)
Message-ID: <53D89458.2090202@torproject.org>
Date: Wed, 30 Jul 2014 06:44:40 +0000
From: Georg Koppen <gk@torproject.org>
MIME-Version: 1.0
To: tor-talk@lists.torproject.org
References: <53D3F004.6070209@yandex.ru> <53D412F9.4030107@googlemail.com>
 <53D6B3F0.8030706@yandex.ru> <53D6E666.9070108@gmx.com>
 <CACf9JSVq5GT+GEysOs0oGBBUy52Nq3XpWsL4j4FD0EAk9RDuPw@mail.gmail.com>
 <53D7E802.8020700@gmx.com>
 <CACf9JSXgFag6Ky3F+TmTqqsx2ScpJTggnU-FDz9yd4zAX=qM1Q@mail.gmail.com>
 <53D83740.7050901@gmx.com> <53D84EDD.6080505@riseup.net>
In-Reply-To: <53D84EDD.6080505@riseup.net>
Subject: Re: [tor-talk] Spoofing a browser profile to prevent fingerprinting
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============7298788500313447288=="
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============7298788500313447288==
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature";
 boundary="W0QXBciJX8wvpGA3TTiIh3llsldbEhfGm"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--W0QXBciJX8wvpGA3TTiIh3llsldbEhfGm
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Mirimir:
> With scripts allowed globally, Panopticlick sees another 2-3 bits. I
> suspect that much of the additional information is also the same for al=
l
> Tor browsers, given what I've read about Tor-specific tweaks. If that's=

> the case, this isn't a major issue.

That's not necessarily the case. But anyway, the current Panopticlick is
not a good way to test for Tor Browser uniqueness[1] (and see below).

> What is a major issue is the risk of being exploited through a
> JavaScript vulnerability. And that's why I always block scripts.

Note that we disable a bunch of JIT related preferences to mitigate that
risk[2] and are investing efforts in getting hardened builds deployed[3].=


> The risk from doing that, of course, is that each user will tend to
> customize their NoScript profile in a distinct way. And that will allow=

> websites to tell them apart.
>=20
> Even so, Panopticlick can't report anything about that. For that, one
> would need a version of Panopticlick that's restricted to assessing and=

> comparing Tor browser profiles. Right?

Yes. There are plans for one which is helpful in this regard[4][5].

Georg

[1] https://bugs.torproject.org/6119
[2] https://bugs.torproject.org/9387#comment:17
[3] https://bugs.torproject.org/10599
[4] https://www.torproject.org/getinvolved/volunteer.html.en#panopticlick=

[5] https://lists.torproject.org/pipermail/tor-dev/2014-March/006486.html=




--W0QXBciJX8wvpGA3TTiIh3llsldbEhfGm
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJT2JRfAAoJEO3GfZipelPcrFIP/jgG6kXOk+1PRwLPI/LvPAUa
VfjYJlwla11nf8cYVp8t+ZEj4/PIvgNrFQzejdnq4GQKklpGQUMfEFpann1BbO6z
t/YHMCVK8vR0x9dd5/wu7RTsi2I8duoN5Qa77RBYlDHdVbBNx7nt8CWO80AfcoT0
1gtRJobVbpPXmssfOfESipeiubxNVlqDwrjlD7RnEKJzQrHZ3i4JsrB8P66gXann
yQ6n48sQrLVfLvchAxOHTn05DFNkvww0U2afY87WGzYPWtZlE44jkWNZsKEjVFhI
d809h31ccgvE1dEreL/HRBmMUP4k1qztR1exEqQw2um91jIi9WeWzSqs2+iYedCH
CJhHbS9fdqlFjLPctHfRtg+rHIZVXzqzcQ06h0tJB4KLtpojyOrDq1LI0Wzsp/9O
yAbvBFBbBix/qs2/zU/Y5yDWtUmhPgFYNZftI86VDGsfDksFuoqpUm785r5By8Xp
d5kdzoRcndNT0bqOs76dQrjN6LI6AtAwvDfnyMbfL9D72HV+1VSxGg5RKwQ7C1rB
mcXG1g+8Uj03pEcc0qD11mbtey0NIMD5CKH1VmnoyiZZsKir1UWoZzw4AusHx2m5
dgfeSzVHcBi67+4IcYdWwofZv/TGO+v0JmCe4J6Q+jiclT64et26v5z++wN3ebfh
t2mjPgNrh5bT57CHUBZs
=i1Bc
-----END PGP SIGNATURE-----

--W0QXBciJX8wvpGA3TTiIh3llsldbEhfGm--

--===============7298788500313447288==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

--===============7298788500313447288==--

