Let us try to define what "fingerprinting Tor use" means exactly. It clearly does not mean "detect if you are using Tor". It probably has more to do with detecting that a certain single TorBrowser installation, including all its settings and plugins, is communicating with a certain server. An adversary could detect this at the side of the exit node (possibly even in the case of encrypted traffic), but more importantly it can be detected at the side of the server.TBB enables JavaScript by default, presumably because many websites need JavaScript. NoScript can be used to selectively allow JavaScript from certain domains, but doing so could make it possible to fingerprint your Tor use.
When does the fingerprinting attack matter? Does it only apply when a user is using the same TorBrowser installation for identities or behaviors that the user wishes to keep separate? It is already recommended to restart the TorBrowser to disconnect behaviors. Wouldn't it be also recommendable to use different TorBrowser installation for different behaviors, or is this going too far?
Please do question this. Don't fall into the false dichotomy between safety and usability. I believe there is a bug (feature request) in the tracker about adding a 'security slider' to Tor, that would allow users to make NoScript a lot stricter. Such a slider would make Javascript-avoiding users share roughly the same browser settings with a larger fraction of the Tor user base. Does anyone have a bugid?(I am not questioning the TBB default of allowing JavaScript; that probably should be the default even if it increases risk, for usability reasons.)
There are bound to be edge case on which fingerprinting attacks can be launched. Please think about which slider implementation would result in lesser TorBrowser-installation specific settings.
Regards, Gerard -- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk