[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: browser fingerprinting - panopticlick



Andrew Lewman wrote:
> On 01/30/2010 08:40 PM, 7v5w7go9ub0o wrote:
>> Given the implications of panopticlick, have you any interest/plans
>> in making Torbutton fingerprints even more indistinguishable (e.g.
>> give every user a windows I.E. fingerprint)
> 
> Just to highlight what Mike said,
> 
> "As an aside, since there are already some questions in #tor and 
> #tor-dev, I want to point out that Torbutton's obfuscation features 
> are only intended to make you appear uniform amongst other Tor users.
>  Tor users already stick out like a sore thumb because of using exit 
> IPs, and the small numbers relative to the rest of your vistor base 
> will make Torbutton's obfuscated settings appear very unique compared
>  to regular visitors."
> 
> All Tor users should look the same.  Not the same as all Tor users
> look like the rest of the Internet.  You already know it's a tor user
> because of the easily identifiable exit relay ip address.  It should
> be hard to tell if there is 1 tor user or 1 million from the other
> information gleaned about the browser.
> 

Agreed; first of all TOR users should look the same..........

1. FWICT, the TORBUTTON obfuscation occurs only on the User Agent
response. To make us look the same, ISTM the HTTP_ACCEPT Headers should
also be standardized.

Perhaps all of the fields tested by panopticlick could be standardized -
reporting that JS is active even if it isn't (or vice versa)? Obviously
there will be additional tests beyond those of panopticlick.

2. Given it is the goal for all TOR users to look the same, there
seems a parallel argument for all TOR users to also be as
indistinguishable as possible from the dominant other on the net (I.E.
7 on XP?) - just in case some signature collector doesn't correlate with
the tor exit, but can tell we were TOR because we bare the TORBUTTON
signature.

It just seems to me that the panopticlick signature trick is now out of
the bag, and it will become widely implemented. Best would be for ALL
browsers to appear the same and be indistinguishable.





***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/