[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Hiding stuff



On Fri, Jul 13, 2012, at 15:41, krugar wrote:
> the way the TBB creates anonymity may not be very intuitive, but it does
> work. at least as long as you do not identify yourself to a website that
> will link your voluntarily given identity to the series of throw-away
> cookies TBB leaves with trackers (ohai facebook, i guess).

Hmmâ facebook, google, msn, yahoo, are really noânos. They are into the
business of harvesting data and they are large enough and smart enough
to beat some hacks to fix a stupid design anyway. To make things worse,
all of them offer the temptation to log in which will track one user
across browsers, sessions, proxies, and so on.

> popular securtiy/privacy addons like RequestPolicy or Ghostery may
> simply suppress loading of scripts (and cookies) from 3rd party websites
> (which may speed up pageload). if those are not owned by a real 3rd
> party, but e.g. used to serve static content, the request footprint of
> your pageview is noticeably different, which cannot be hidden and
> reduces your anonymity set.

Adblock Plus, NoScript, Request Policy are the first in the line of
defence to fix the stupid design. Or smart design. It all depends on
which side of the fence are you. Google exists plainly because all the
protocols were made wiiiide open so developers won't have to bother the
employer with billing overtime. I mean what they were thinking when they
made the email plain text and ready to hop over an unspecified number of
hosts? SSL is just a silly hack to keep the stupidity of HTTP in place.
It's not a redesign. And so on, and so on.

Thank you Tor team for trying to fix these holes. As things are going no
big player would cut its own revenues to support a clean protocol,
whatever that might be. So Tor is bound to ride on top of popular
protocols. But besides PGP and Tor teams I am not aware of another team
ready to redesign the mess in place today.

I have my doubts about Ghostery. And, itself it's rather redundant.
Also, I recently found out that RequestPolicy is also redundant. Its
only reason to be is because the ABE in NoScript has yet to develop a
nice graphical interface to set up the rules. Guess Adblock can be made
redundant with some of the NoScript features.

> also, those plugins uh... change the web experience and may even render
> some pages unusable for less tech-savvy users, which i guess is one
> reason they don't come bundled with TBB.

Yes. That is true. The big players like yahoo and the gang are a mess of
requests from all sort of domains, all under the same ownership of
course. Also Google is very interesting in the way that logs a user on
quite a few servers. I wasn't aware of that till I disabled automatic
redirection. That I discovered that, when I log into Google I am logged
into the main server, than into a server for each country from which I
have ever logged in for an extended period of time. And, although they
track me over all of their servers, upon request they can also log me
into youtube, plus, and so on.

But I find it disturbing the evolution of the smaller players. And maybe
it's time to break their silly sites as it is still possible to make
them independent. I mean they pay for hosting and the bandwidth to give
everything to Facebook for the sake of oneâclick login. Or with the use
of googleapis they give all data to google while similar packs are
already available free of charge. For the sake of reposts they make
available so much data to some Stumble Upon service. And so on.

As for having them into TBB, I understood from reading the comments to
the official blog that more extensions means more work for the core team
to monitor. And while Https everywhere seems to be pretty straight
forward, NoScript had a number of slips. What if Giorgio decides he
doesn't get enough money and puts in some backdoors for some Googleâlike
corporation? It's sick to look at the development of Firefox itself.
Geolocation, malware integration with google and so on. Lately they seem
to lost their dream to develop the standard compliant IE and are doing
their best to do some Chrome clone. And they are right, much of their
money come from Google anyway and not from grumpy users like myself. So
the Tor team has to monitor two development roadmaps. Add Adblock and
RequestPolicy and you have roughly doubled the effort put into TBB.

> all that being said, if you want to work on this, you could look at
> 
> http://panopticlick.eff.org and http://browserspy.dk/
> 
> for code that lists installed firefox addons.

I know those two sites. They are the reason I want to make the browser
less chatty. In a world where multimedia and games were handled by
Firefox the browser spits anything imaginable about someone: CPU, OS,
browser, browser version, browser compile parameters, screen resolution,
extensions. Thanks to Mr. Stallman the project is opensourced. But the
owners of these browsers are commercial entities and not the users. Or
else it does not make any sense to have in the open all you can see on
Browserspy without an option to disable it all and have a fixed mask for
the users who don't need to have the wonderful features of Hello $user,
the time is $time, and the date is $date.

Just in that direction I just read an article about an Android forum
hacked. They have leaked everything. The interesting part was they were
storing login and location information too. Why? I bet less than 0,1% of
the users would dump their account on that site.
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk