[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Proposal: Tor User Agent Carousel (TUAC)

To: or-talk@xxxxxxxxxxxxx
Subject: Re: Proposal: Tor User Agent Carousel (TUAC)
From: Sebastian Hahn <hahn.seb@xxxxxx>
Date: Fri, 4 Apr 2008 12:38:53 +0200
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Fri, 04 Apr 2008 06:39:04 -0400
In-reply-to: <42138.81.169.137.209.1207303840.squirrel@xxxxxxxxxxx>
References: <13457.80.67.172.19.1207298412.squirrel@xxxxxxxxxxx> <51DD9891-4ADF-4448-99EA-1359E51F38ED@xxxxxx> <18997.66.230.230.230.1207300579.squirrel@xxxxxxxxxxx> <4820DFDA-E400-4330-A14C-2AEFCC65FBCB@xxxxxx> <42138.81.169.137.209.1207303840.squirrel@xxxxxxxxxxx>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx


On Apr 4, 2008, at 12:10 PM, lxixnxenoise@xxxxxxxxxxx wrote:

hi, thank you for your reply, my comments follow below:


On Apr 4, 2008, at 11:16 AM, lxixnxenoise@xxxxxxxxxxx wrote:

Hi, thank you for the reply!

"Also, when the user agent changes on a website that you logged
onto, they
are going to link the two"

This is a good point, if the rotation occurs during the period of
login,
but one may choose a longer period between rotations, this still not
solving anything though if the user is logged in somewhere. If the
user is
logging in somewhere, though, are the maintaining a static identity?
If
so, why? Would this not be a defeat in and of itself over a long
period of
time, regardless of UA?

Aside from this, would they not link more from the browser than UA?
So we
have two groups if we look at this simply, as a lot of tor users
seem to
like using the popular Windows UA:

Group 1: The real Windows users with the UA, most plugins enabled by
default, flash, javascript, etc.

Group 2: The tor users with the common Windows UA, most or allplugins

disabled

So group one is Charlie Brown in the standard t-shirt which never
changes,
and group two is Charlie Brown in the same t-shirt but with a
football in
his hands, the disabled plugins standing out.

So in addition to the TUAC idea (which, despite my naming of it, you
mentioned has already been suggested, which doesn't surprise me) I
propose
this:

A way to safely spoof (without a negative result to either end) tothe

websites that you have plugins enabled, java, javascript, Flash, and
all
of the rest, but somehow negating the incoming trasmission of said
content
by passing it into some type of virtual shredder, some type of /dev/
null
approach. In this way Charlie Brown would not be holding the
football in
being fingerprinted so easily.

Thank you for your other useful comments, I have removed them frommy

reply to save space since I have no comments to share on them.

If this is offtopic since it does not directly have to do with tor
as you
have pointed out, I will take the suggestion to others instead.
Thanks for
your kind attention! :)


I don't have much to say to that, except that you stick out as a Tor
user because your request came through a tor server. The list of tor

servers is publicly accessible (which is necessary by design) andeven

if you don't spoof anything you're still not the regular Charlie
Brown. You need to "blend in" with the other Tor users, as you cannot
blend in with anyone on the planet!


Okay, though I would appreciate other people's comments then on my

suggestions for safely spoofing an enabled set of plugins if thiscould bedone. Yes, one may easily stick out as a Tor user because of theexit nodeIP, *if* they are connecting to the end point through the exit node.Some

tor users choose to go through additional hoops rather than expose the
exit node IP, thus in this case they are NOT identified as a tor user.

Whether or not the tor user hits the website with the exit node IP,whyshould they further subject themselves to being labeled as a toruser? Why

would they want to blend into this small group of users? I would think

they would want to further blend into the larger group of commonfolk who

most often have their plugins enabled. Because of this I believe some

method should be implemented to safely spoof plugins being enabledwhen

they are disabled.

Maybe you can't blend in with everyone, but I'd rather choose toblend inwith the commoners or others (that's the point of the common UA,right?)

than the rest of the tor users.

I don't want to spam the list, but I think it's remarkable how youstill don't acknowledge that it doesn't help to tell websites you haveplugins enabled... They will for example test for JS, and if itdoesn't work, they already know something. Then they'll put an appletor Flash up - that doesn't connect back - wow, they figured out you'rea Tor user.

also, this will hurt the general user experience - websites thatdetect you don't have JS enabled might direct you to a page thatdoesn't use it, while what you see else is totally useless. So I don'tthink this would become the default, which means again you don't onlystick out because you're a Tor user, but also because you use afeature few others don't use.

But I will not respond until someone else has had the chance to replyand say what they think.

Attachment: PGP.sig
Description: This is a digitally signed message part

References:
- Proposal: Tor User Agent Carousel (TUAC)
  - From: lxixnxenoise
- Re: Proposal: Tor User Agent Carousel (TUAC)
  - From: Sebastian Hahn
- Re: Proposal: Tor User Agent Carousel (TUAC)
  - From: lxixnxenoise
- Re: Proposal: Tor User Agent Carousel (TUAC)
  - From: Sebastian Hahn
- Re: Proposal: Tor User Agent Carousel (TUAC)
  - From: lxixnxenoise

Prev by Author: Re: Proposal: Tor User Agent Carousel (TUAC)
Next by Author: Re: server
Previous by thread: Re: Proposal: Tor User Agent Carousel (TUAC)
Next by thread: Re: Proposal: Tor User Agent Carousel (TUAC)
Index(es):
- Author
- Thread