[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: browser footprint



Karsten N. wrote:
I have read a thread at the JonDos forum about browser footprints.

A browser is not only identified by the user-agent, it is possible to
use the accepted language, the accepted content, accepted charsets...

To create a highly anonymous group, many user should use the same
settings for HTTP header values.

You may check your browser at: https://www.jondos.de/de/anontest#

At the page you will see the recommended settings. A developer of
JonDos wrote, they are in contact with the tor dev team about this.
Is it true? I can not find anything about this at torproject.org.

In Firefox / Iceweasel you may set all recommendations at about:config

 intl.charset.default              utf-8
 intl.accept_charsets              *
 intl.accept_languages             en
 network.http.accept.default       */*

add a new string value to the configuration:

general.useragent.override  Mozilla/5.0 Gecko/20070713 Firefox/2.0.0.0

and use some plugins like RefControl, CookieSafe, NoScript....

For Konqueror I think, it is only possible, to set the following
values in $HOME/.kde/share/config/kio_httprc

  Language=en
  SendUserAgent=true
  UserAgent=Mozilla/5.0 Gecko/20070713 Firefox/2.0.0.0
  SendReferrer=false

More options possible?

Are there recommendations by others?

Karsten N.




Thanks for posting this; I think it is an important topic.

1. ISTM that one should go out to some of the statistics sites and
determine what the most frequently occurring "prints" actually are.

For user agents, there are many statistic sites; e.g.:

http://www.thecounter.com/stats/
http://www.upsdell.com/BrowserNews/stat.htm

FWICT, the most frequently occuring general User Agent is one of these:

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1)

I'd then find out what the typical (American English) windows I.E.
browser puts out for charsets and encodings, and use that.

(I do not believe that content type  */* is used by many browsers; nor
does gzip,deflate appear for HTTP_ACCEPT_CODING)

2. I agree that TOR would be the logical place to incorporate an
optional sanitizing routine that makes all browsers look the same. It is
likely that some folks will complain that it'll break certain features -
fine, they don't have to use it. But for most of TOR browser useage, it'd work fine.

If doing this in TOR is not practical or too far off, TOR could at least
officially recommend the replacement signatures that most users could
apply using our own devices (e.g. tweaking polipo, using privoxy,
proximitron, etc.).

It seems to me that if we wanted to approach TOR on this:

a. the first step would be to determine what the browser headers should be.

b. the second step would be to code and test a patch for TOR that
replaces individual headers with the standard headers, and deletes
extraneous stuff.

c. Present the recommendations and code patch.


If you are in contact with JonDoe, you might ask them why they chose the signatures they did

HTH

(p.s. Suggest you retitle this topic to "browser fingerprints" or "browser signatures". "footprints" typically refer to the size and overhead of an application)