[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Spoofing a browser profile to prevent fingerprinting



Mirimir:
> With scripts allowed globally, Panopticlick sees another 2-3 bits. I
> suspect that much of the additional information is also the same for all
> Tor browsers, given what I've read about Tor-specific tweaks. If that's
> the case, this isn't a major issue.

That's not necessarily the case. But anyway, the current Panopticlick is
not a good way to test for Tor Browser uniqueness[1] (and see below).

> What is a major issue is the risk of being exploited through a
> JavaScript vulnerability. And that's why I always block scripts.

Note that we disable a bunch of JIT related preferences to mitigate that
risk[2] and are investing efforts in getting hardened builds deployed[3].

> The risk from doing that, of course, is that each user will tend to
> customize their NoScript profile in a distinct way. And that will allow
> websites to tell them apart.
> 
> Even so, Panopticlick can't report anything about that. For that, one
> would need a version of Panopticlick that's restricted to assessing and
> comparing Tor browser profiles. Right?

Yes. There are plans for one which is helpful in this regard[4][5].

Georg

[1] https://bugs.torproject.org/6119
[2] https://bugs.torproject.org/9387#comment:17
[3] https://bugs.torproject.org/10599
[4] https://www.torproject.org/getinvolved/volunteer.html.en#panopticlick
[5] https://lists.torproject.org/pipermail/tor-dev/2014-March/006486.html


Attachment: signature.asc
Description: OpenPGP digital signature

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk