On 09/29/2015 12:46 PM, [email protected] wrote: > Spencer, > > The closest thing I'm aware of to a one-stop-shop to view the factors > of your fingerprint would be Valve's fingerprint.js library: > > https://github.com/Valve/fingerprintjs2 > > It's definitely not sophisticated enough to meet most Tor users' > needs, but it's a good start. It's also well documented and can easily > be run locally. > > To answer your question: > >> With this logic, TorBrowser users could select a unique set of add-ons >> each session, correct? > > It's important to consider TBB's design... which is to make _all_ Tor > Browser Bundle users look identical. This provides strong anonymity > amongst other TBB users. It does not hide the fact that you're using > Tor or the TBB, but attempts to hide you within the group to make each > individual difficult to uniquely track. This is also the reason for > the recent roll-out of the per-domain circuits, because third-party > trackers could collude to correlate traffic and de-anonymize Tor users > that way. This is also why Tor Project released the "slider" to pick > from a handful of pre-defined security/privacy levels. Because of > indirect detection of the myriad of potential browser configurations, > individual configurations could inadvertently make people quite > unique. So the slider helps to coalesce the potentially huge number of > combinations to single digits, assuming that most people will be > comfortable with a provided setting. > > First, the default configuration of TBB is sufficient to make > cross-session fingerprinting and tracking difficult (not impossible, > especially if JS is enabled, but that has trade-offs of its own). > Installing unique add-ons each session, would make tracking across > sessions a little more difficult (albeit probably easier than the > default TBB config since you would be, once again, unique...), at the > expense of being unique during that session. > > That practice would be almost universally discouraged, except perhaps > for some imaginative fringe cases. > > I think it's well known and understood that "adding add-ons to TBB" = > "bad for anonymity", but I'd prefer to know "how bad", instead of just > a binary good / bad. > > Perhaps this want to know more resonates with others, and will warrant > some research if it's not already been undertaken. >
Perhaps one could identify the two or three extensions that might be added (e.g. addblock plus, csfire, flashgot, etc.) and study <browserspy.dk> with/without the extensions. This could provide the (superficial?) quantification of the effects of the various extensions that you seek. (obviously do this in temporary VMs, or reinstall a "clean" copy after testing) > All the best, > > pacifica > > On 2015-09-29 16:22, Spencer wrote: >> Hi, >> >>> >>> aka: >>> Every add-on installed/not installed gives you one more bit of >>> detection. >>> >>> If [x] records you visiting an internet forum via TBB and >>> leaking something and detect another visitor with the same 3 bits set >>> looking for a train schedule, they can verify with a high confidence >>> you posted that message and live in that area. >>> That's why it's important that every TBB installation has the same >>> Http-Header values and same add-ons. >>> >> >> With this logic, TorBrowser users could select a unique set of add-ons >> each session, correct? >> >>> >>> You don't need any studies, it's simple common knowledge. >>> >> >> I second the request for some documented research, even if we do it >> ourselves. The first thought I had was a way for people to verify >> their identity by seeing their fingerprint by visiting a website, or >> something close to what others might be looking for, though this could >> also be an off-line thing. >> >> Wordlife, >> Spencer >> >> >> >> >>> [email protected] wrote: >>>> Hello afternoon / evening / morning tor-talk -- I am hoping that >>>> someone >>>> can point me in the right direction. I know it is well-discussed that >>>> adding Firefox add-ons to the Tor Browser Bundle decreases anonymity, >>>> but I would like to review the studies myself. I'm having trouble >>>> finding credible research where detection of add-ons has resulting >>>> in a >>>> significant decrease in anonymity... can someone please point me to >>>> those resources? >>>> >>>> To be explicit, I am not concerned with "plug-ins" like Java or Flash, >>>> but rather "add-ons" like HTTPS everywhere or Privacy Badger. >>>> >>>> Thanks in advance. >>>> >>>> pacifica > -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
