Re: browser fingerprinting - panopticlick

[7v5w7go9ub0o <7v5w7go9ub0o@xxxxxxxxx>]

Kyle Williams wrote:
> 7v5w7go9ub0o wrote:
> > Andrew Lewman wrote:
> >
> > > On 01/29/2010 08:20 PM, 7v5w7go9ub0o wrote:
> > >
> > > > As we slowly transition to web 2.0, probably the next step is 
> > > > putting the TOR browser in a VM full of bogus, randomized 
> > > > userid/sysid/network information - carefully firewalled to 
> > > > allow TOR access only (TOR would be running somewhere outside 
> > > > the browser VM).
> > > Already working on that, https://www.torproject.org/torvm/ or 
> > > pick a live cd with tor integrated into it.
> > Good to see these projects being developed. IIUC, the TORVM is a 
> > tor client; so the TORVM is designed for easy installation, and 
> > perhaps to contain any exploit of TOR!?
> This was one of the design points of Tor VM; to protect Tor by 
> running it inside a VM, so if your browser in the HOST OS goes bad on
>  you Tor would be protected inside the VM.
>
> > Guess I was thinking of a different approach: putting Firefox in a 
> > VM and just letting it go ahead and get crazy with flash, JS, 
> > cookies (.. I have tired of tweaking NoScript, RequestPolicy, and 
> > CS Lite all the time.....).   TOR is running in a chroot jail on 
> > the "regular" OS, connected by network.
> >
> > JS/Flash will presumably look for unique or geographic information
> >  within the VM and will get only bogus stuff which is cleaned and 
> > randomized every few minutes, along with cookies and caches. DNS is
> >  "unbound", elsewhere on the internal network, and has protection 
> > against many of the "DNS tricks". FWICT the obtainable network 
> > information all reflects the virtual Ethernet.
> You may want to take a look at another project I've had out for a few
>  months, but haven't really made much light of it. Chromium Browser 
> VM http://www.janusvm.com/chromium_vm/
>
> The name says it all.  It's Chromium running inside a VM.  Unlike 
> traditional VMs, this VM attempts to make the browser feel like a 
> native application to the HOST OS even though it's running inside the
>  VM.  If you open a "Incognito" session with Chromium, it does a 
> pretty good job at protecting your privacy with regards to your 
> history and cookies, preventing the disclosure of what sites you've 
> visited on the Internet (tested against JS & CSS).  Check it out.
>
> You can run it in different modes: - Exported browser display 
> (default) - Exported browser display with plugins disabled - Browser 
> in a local X server (inside the VM's window or as a boot CD.) - 
> Browser in a local X server with plugins disabled (inside the VM's 
> window or as a boot CD.) - All the above options + Tor
>
> The ISO is also bootable from a CD-ROM, just burn it, boot it, and 
> choose a boot option with "Local X Server".  It uses the same drivers
>  turnkey linux (aka: Ubuntu 8.04). So it's over kill for driver 
> support from the VM stand point, but it's good as bootable CD for 
> lots of different hardware vendors.


Dang!   This makes a lot of sense! A fast, "throwaway" browser, quickly
(instantly?) reloaded in a virgin state - as opposed to the traditional
approach of a heavily-protected Firefox remaining in memory for a while.

As you know, on Linux one simply QEMU/KVMs the .iso on storage; dead easy.

I'd guess there is reluctance to try it, as many believe that Google is
satan and fear that there is home-phoning to the "cloud" going on with
Chromium. Of course, running it in a well-firewalled, standardized VM
may render that information meaningless, and any reporting outside of
TOR impossible.

[]

> Against the EFF's new fingerprinting tool, this browser VM masks most
>  of your real attributes, but fails when it comes your screen size. 
> Interestingly, the color depth was off and reported 24 when should be
>  32.  BTW, the performance benchmarks with this browser inside (or 
> outside) a VM smoke FF and IE hands down.  Kudos to Google. :)

Got a copy; gonna give it a try!

(FWIW, Have had good luck with a hardened-Gentoo FF QEMU/KVM VM, except
for graphics which suck. Once they/I figure out how to get GPU
pass-through, I'll do routine browsing - including flash/silverlight
streaming - in it. IIUC chromium does html5 video; will see if I can
get some html5 pass-through video streaming out of your .iso (though,
obviously, not through TOR.)



***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/