I appreciate all the time and effort you put into your response and I agree that we must use facts not feelings to discuss the issue at hand. As a thought experiment: what is the *maximum* amount of personally identifiable information that can be exfiltrated from a user's browser without compromising his/her anonymity?
With regard to 33 bits of entropy being the critical mass of positive identification, are the sources you're citing? https://www.eff.org/deeplinks/2010/01/primer-information-theory-and-privacy / http://www.law.yale.edu/documents/pdf/ISP/Lee_Tien.pdf Those studies appear to be talking about identifying individuals and less re. browser fingerprints. Based on the (very) basic data below, my fingerprint in FF with JS enabled was "unique" out of the >4M browser samples thus far but "only" revealed 22 bits of entropy. This tells me that 33 bits of entropy is significantly more than what is necessary to positively identify a user. I am definitely not the person to make decisions here one way or the other, I just wanted to give my opinion of the relative benefits of leaving JavaScript enabled by default and the "blend in" theory promulgated by the TP devs thus far. But here are some numbers that I just collected that perhaps could be of use to you. This test was done with the latest TBB (3.6.3) and Firefox versions on Linux (Fedora), with both JS on and off: FF (private browsing) / JS disabled = 16 bits (not "unique" - one in 65,487) FF (private browsing) / JS enabled = 22 bits ("unique" out of >4M samples) FF (normal browsing) / JS disabled = 15.98 bits (not "unique" - one in 64,524) FF (normal browsing) / JS enabled = 21.07 bits (not "unique" but one in 2,193,824 [roughly 2 matching entries in the sample]... so the other data point may well have been me...) TBB / JS enabled = 12.06 bits (not "unique" - one in 4,260) TBB / JS disabled = 9.05 bits (not "unique" - one in 529 are same) TBB was fresh -- I literally verified the download, ran the 'start tor browser' script, clicked "connect" and went directly to panopticlick.eff.org to run the test with JavaScript on first (default TBB setting) and then turned it off globally to run it again within a minute or two of each other. The "unique" verbiage I added in parentheses above is in reference to the blurb on the page about whether or not your fingerprint is "unique" among their samples thus far of collected fingerprints. And of course this is only Panopticlick, so take that into consideration. You seem to be getting higher numbers overall, so perhaps there is something materially dissimilar about our systems that is causing the gap. I don't have Flash or Java installed at all, so perhaps that's limiting things somewhat. I also have a handful of plugins. In other words, I don't know what the *minimum* amount of identifying information is sufficient to deanonymize a user, but I'd love to know and see how TBB with and without JS respectively. Thanks to all for everything you do. Best, Ben On Tue, Jul 29, 2014 at 2:29 PM, Joe Btfsplk <[email protected]> wrote: > > On 7/29/2014 12:16 AM, Ben Bailess wrote: > >> There are some built-in protections in TBB that keep honored requests for >> known fingerprinting data to a minimum, so the TBB does not function like >> a >> normal browser in this instance. >> >> It most notably limits the high entropy factors -- responses for fonts and >> plugin microversions. And as long as you obey the nice Tor devs and don't >> install any additional plugins, then plugin microversions won't be >> unique/identifiable either. *So enabling JS really isn't quite as big* of >> a >> step out into the light as it would be in say Chromium or Firefox, which >> has no protections against HTML5 canvas fingerprinting (or anything by >> default) for instance. >> > [Emphasis Added]. Don't know about enabling JS not being "big." > This isn't a "feeling" topic or discussion (general statement, not aimed > at anyone). > Either we use facts (as best understood) to make decisions on this, or we > don't. > > I'm no expert on fine details of this, but over a long time of checking > TBB, Firefox, JonDo Fox, etc., on multiple test sites, it's always clear > that far more info is available when JS is enabled. > The EFF says ~ 33 bits of identifying info (ii) are needed to accurately > identify the same browser / machine at multiple sites. > > Even if that's just a ball park figure, when I visit Panopticlick, > BrowserSpy.dk & others (many times, many browser versions, spread out over > a yr +) , the difference in bits ii when JS is enabled or disabled, goes > from well below 33 bits (in mid 20's) to well over 40 bits. > It's the same in vanilla Fx. > In vanilla Fx & NoScript - JS disabled, test sites might show * 24 bits > of ii *. Nearly as good as TBB w/ JS disabled. Well under EFF's threshold > to accurately identify a browser / device. > Enable JS in vanilla Fx & it shoots to * > 43 bits ii * (again, > essentially the same as TBB under same scenario). > > That appears to mean that vanilla Fx & NoScript w/ JS disabled, is no more > * identifiable * as "the same browser" than TBB w/ JS disabled. > So either EFF's (& others) estimation on what's needed to identify a > browser is considerably off, or enabling JS is a * BIG * deal. > > >> So if allowing at least some JavaScipt is inevitable, then I think the Tor >> devs have the right idea -- assume that some use of JS is a foregone >> conclusion and protect the users from the additional exposure to >> fingerprinting in a way that makes them all look as similar as possible. >> >> If the user prefers to have more privacy / security by forsaking some >> anonymity by disabling JavaScript and thereby making him/herself >> identifiable as a smaller subset of overall Tor Browser users, that's >> his/her option. >> > Yes, in a smaller subset. But, what good is being in a larger set of Tor > users (that leave JS enabled), if doing so allows sites / trackers to > clearly identify the same browser at multiple sites, or even end to end of > Tor circuits, for advanced adversaries? > "Hiding" in a crowd, where you're still clearly identifiable doesn't make > much sense. > > Back to one main school of thought: * an adversary needs X bits of > identifying info * to accurately identify the same browser at multiple > sites, or end to end in Tor circuits. > Do you want to be in a large crowd, where everyone reveals well over the > required bits ii needed to accurately identify each one? > Or be in a smaller crowd, but users can't be individually identified - end > to end, or site to site? > > Unless this business of "necessary bits of identifying info to identify > the same browser" is inaccurate & blown out of proportion. > That's where I have to rely on * real * experts. Not on feelings or > supposition. > Either the results from repeated tests I've done, separated by many > months, are meaningful or they're not. > Either ~ 33 bits of info (or anything close) will allow identifying a > browser, or it won't. > > But in that instance, said user should probably be using >> Tails to remedy those sorts of problems since Tails addresses even more >> fingerprinting issues. >> >> If Tails, or any other means is needed to provide anonymity (while still > being able to actually use the web), then those should be a part of Tor / > TBB. > Unless the only goal is to hide destinations from ones ISP, then providing > only part of what's needed in TBB for reasonable anonymity is... > *"Here's a browser / network that'll hide your IPa. BTW, if you use it w/ > JS, you can be identified at each end of a circuit and at each website."* > > -- > tor-talk mailing list - [email protected] > To unsubscribe or change other settings go to > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk > -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
