[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Proposal: Tor User Agent Carousel (TUAC)

Hi there,

thanks for your idea. Please find my comments below:

On Apr 4, 2008, at 10:40 AM, lxixnxenoise@xxxxxxxxxxx wrote:
I would like to propose an idea to the Tor community, in the hope that
someone with the coding skills could pick up on it and run with it to make
it a reality. The idea is a simple one, I call it:

Tor User Agent Carousel (TUAC)

- What is Tor User Agent Carousel? (TUAC)
It's an idea I'm proposing as a feature to be added to Tor Button, Tork, Vidalia, or perhaps just a plugin for Firefox. It would allow the Tor user to configure when their browser's user agent changes and how often, either by randomly timed (role of the dice sort of time period) intervals or a user defined set time (week,day,hour,seconds,etc.). TUAC would read the user agents from a text file containing a list of user agents which the user may add to with their own custom strings at any time. The rotation of the user agent would be at random every time, or perhaps there could be an additional choice for the user to select between several user agents (from within the text file containing a list of user agents) to rotate between
in addition to the random feature.

This has actually been asked for before. Please see https://www.torproject.org/volunteer.html #Research, #11.

About the implementation: This has nothing to do with Vidalia or TorK, as both programs work with Tor preferences, but not with your everyday webbrowsing. It also doesn't belong with Tor, because Tor is protocol- agnostic, which means that we don't inspect traffic to change http- headers (also, this wouldn't work for https-connections). So really, if such a feature were to be implemented, the right place would in fact be Torbutton or privoxy or some other proxy.

- Isn't there already a plugin for changing the browser's user agent?
Can't Privoxy also do this?
Yes and yes, but these are operations the user must *manually* perform
each time they wish to change the user agent. In my searching on the
internet I've found no plugin or program which allows Firefox (or other
browsers) to rotate the user agent randomly and/or according to a set
pattern of time. This is why the image of a carousel came to me, with the rotation of animals being symbolic of the user agent rotation I believe
tor users should have.

You believe they should have that option, but does it help or hurt anonymity? I do think it hurts, more below (also, this ist just what *I* think, without any proof!)

- Isn't this a silly idea? How does this help anything?
First, I believe this is a feature every tor user should have as an
option, regardless of what some naysayer may have to say about it, not
everyone likes or uses every feature any software product offers them, but without additional features they would have less to choose from. Second, I believe the static/manual changing of the user agent isn't enough, there are many ways to fingerprint a particular browser by its configuration, and I don't believe simply mixing in with the crowd is enough, as the user is likely to have many other blatent Tor-like signs, especially with most everything turned off like javascript, java, etc. I believe by allowing the tor user to randomize their user agent as they choose either on a set
time period for UA rotation or a time picked by the TUAC program at
random, it will further help in distancing themselves from fingerprinting attacks. I didn't like relying on Privoxy or some browser plugin to switch
my user agent manually, I didn't want to do this each and every time I
wanted to appear as another browser, I want this done randomly without my interaction! I'm not alone here, there are many others on the net looking for a random UA rotation and I believe TUAC could deliver this. I'm sure
there may be a number of nay sayers, as with any idea, but regardless,
this is a feature I and many others have wanted, I'm sure, even if it was just a Firefox plugin, it would be a simple matter to create by a bright
minded individual, and those who wanted to use it would.

Please note that in most cases it is trivial to detect whether traffic comes through the Tor-network or not. So, if you use the standard user agent provided by Torbutton, you can be identified to be "someone who uses Tor and Torbutton between version x and y" (those two versions are the versions that set that specific user agent). So when you change the reported user agent frequently, does that mean that your anonymity gets better? No, it doesn't! Now, you're a user who uses Tor and Torbutton and also uses the user agent toggling script - a lot less people are going to use that, until the new version is widely adopted, which takes time. Also, when the user agent changes on a website that you logged onto, they are going to link the two. Again, the above is just what I think of the problem, nothing based on research!

- Couldn't this be just a browser plugin rather than an addition to a
Tor-specific program?
Sure, like many of the Firefox plugins, I'm sure it would be a great
addition, even for the non-Tor users. However, I believe it would be
especially useful for Tor users, so I'm suggesting it here, as not all of us use Firefox for Tor, so could this feature be added to another program
for Tor users regardless of browser? For Privoxy users, the UA can be
changed manually within one of the configuration files, but this means
Privoxy must be restarted for the change to be honored. Is there some way
around this, or could this just be done without touching Privoxy? What
about other programs used by Tor users, Tork? Vidalia? Polipo? Others?

See above why there are only two choices, really onle a browser plugin as it should work with https-traffic as well.

Thank you for your consideration

I hope I have given you something to think about, and maybe, when some research shows it is worthwhile, it will be implemented in Torbutton - but someone has to sort out the facts, first


Attachment: PGP.sig
Description: This is a digitally signed message part