Hi there, thanks for your idea. Please find my comments below: On Apr 4, 2008, at 10:40 AM, lxixnxenoise@xxxxxxxxxxx wrote:
I would like to propose an idea to the Tor community, in the hope thatsomeone with the coding skills could pick up on it and run with it to makeit a reality. The idea is a simple one, I call it: Tor User Agent Carousel (TUAC) - What is Tor User Agent Carousel? (TUAC)It's an idea I'm proposing as a feature to be added to Tor Button, Tork, Vidalia, or perhaps just a plugin for Firefox. It would allow the Tor user to configure when their browser's user agent changes and how often, either by randomly timed (role of the dice sort of time period) intervals or a user defined set time (week,day,hour,seconds,etc.). TUAC would read the user agents from a text file containing a list of user agents which the user may add to with their own custom strings at any time. The rotation of the user agent would be at random every time, or perhaps there could be an additional choice for the user to select between several user agents (from within the text file containing a list of user agents) to rotate betweenin addition to the random feature.
This has actually been asked for before. Please see https://www.torproject.org/volunteer.html #Research, #11.
About the implementation: This has nothing to do with Vidalia or TorK, as both programs work with Tor preferences, but not with your everyday webbrowsing. It also doesn't belong with Tor, because Tor is protocol- agnostic, which means that we don't inspect traffic to change http- headers (also, this wouldn't work for https-connections). So really, if such a feature were to be implemented, the right place would in fact be Torbutton or privoxy or some other proxy.
- Isn't there already a plugin for changing the browser's user agent? Can't Privoxy also do this? Yes and yes, but these are operations the user must *manually* perform each time they wish to change the user agent. In my searching on theinternet I've found no plugin or program which allows Firefox (or otherbrowsers) to rotate the user agent randomly and/or according to a setpattern of time. This is why the image of a carousel came to me, with the rotation of animals being symbolic of the user agent rotation I believetor users should have.
You believe they should have that option, but does it help or hurt anonymity? I do think it hurts, more below (also, this ist just what *I* think, without any proof!)
- Isn't this a silly idea? How does this help anything? First, I believe this is a feature every tor user should have as an option, regardless of what some naysayer may have to say about it, noteveryone likes or uses every feature any software product offers them, but without additional features they would have less to choose from. Second, I believe the static/manual changing of the user agent isn't enough, there are many ways to fingerprint a particular browser by its configuration, and I don't believe simply mixing in with the crowd is enough, as the user is likely to have many other blatent Tor-like signs, especially with most everything turned off like javascript, java, etc. I believe by allowing the tor user to randomize their user agent as they choose either on a settime period for UA rotation or a time picked by the TUAC program atrandom, it will further help in distancing themselves from fingerprinting attacks. I didn't like relying on Privoxy or some browser plugin to switchmy user agent manually, I didn't want to do this each and every time Iwanted to appear as another browser, I want this done randomly without my interaction! I'm not alone here, there are many others on the net looking for a random UA rotation and I believe TUAC could deliver this. I'm surethere may be a number of nay sayers, as with any idea, but regardless,this is a feature I and many others have wanted, I'm sure, even if it was just a Firefox plugin, it would be a simple matter to create by a brightminded individual, and those who wanted to use it would.
Please note that in most cases it is trivial to detect whether traffic comes through the Tor-network or not. So, if you use the standard user agent provided by Torbutton, you can be identified to be "someone who uses Tor and Torbutton between version x and y" (those two versions are the versions that set that specific user agent). So when you change the reported user agent frequently, does that mean that your anonymity gets better? No, it doesn't! Now, you're a user who uses Tor and Torbutton and also uses the user agent toggling script - a lot less people are going to use that, until the new version is widely adopted, which takes time. Also, when the user agent changes on a website that you logged onto, they are going to link the two. Again, the above is just what I think of the problem, nothing based on research!
- Couldn't this be just a browser plugin rather than an addition to a Tor-specific program? Sure, like many of the Firefox plugins, I'm sure it would be a great addition, even for the non-Tor users. However, I believe it would beespecially useful for Tor users, so I'm suggesting it here, as not all of us use Firefox for Tor, so could this feature be added to another programfor Tor users regardless of browser? For Privoxy users, the UA can be changed manually within one of the configuration files, but this meansPrivoxy must be restarted for the change to be honored. Is there some wayaround this, or could this just be done without touching Privoxy? What about other programs used by Tor users, Tork? Vidalia? Polipo? Others?
See above why there are only two choices, really onle a browser plugin as it should work with https-traffic as well.
[snip] Thank you for your consideration
I hope I have given you something to think about, and maybe, when some research shows it is worthwhile, it will be implemented in Torbutton - but someone has to sort out the facts, first
Sebastian
Attachment:
PGP.sig
Description: This is a digitally signed message part