[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Basic questions from new user but...

On Fri, May 11, 2012 at 2:36 AM, Joe Btfsplk <joebtfsplk@xxxxxxx> wrote:
> Isn't this approach very much a double edged sword?  From the link:
>> However, we recommend that even users who know how to use NoScript leave
>> JavaScript enabled if possible, because a website or exit node can easily
>> distinguish users who disable JavaScript from users who use Tor Browser
>> bundle with its default settings (thus users who disable JavaScript are less
>> anonymous).
> It may be true that changing settings makes one's profile different, but
> from all I've ever read, java script is responsible for more malicious
> browser attacks than anything.  That's not so good.

Javascript atacks are, however, out of the scope for anonymity
research. The anonymity set reduction above, while purely theoretical
and of no practical significance, is in that scope. It's a typical
case of project focus shifting priorities to user's disadvantage.
Moreover, if many users turn Javascript off often, it is quite
possible that turning it off offers more (theoretical) anonymity due
to the possibility of fingerprinting users' browser versions by
browsers' respective Javascript quirks.

> Can someone explain to non-Tor network experts in layman's terms (25 words
> or < ) :D, what exactly some one / entity HAS to be able to do in order to
> profile that Joe has java script disabled, & then be able to tie it to MY
> (dynamic) IP address - at * that * moment (an address that could change
> anytime), or to me physically, sitting here at 123 Oak St., Bumfk, ND?

It is not possible — anonymity set reduction only shifts your
anonymity towards pseudonymity. I would guess that most browser users
do not need true anonymity, however, and are fine with pseudonymity.

> Then, what are the REAL world odds that out of all the exit nodes traffic,
> which are constantly changing users, that someone can monitor enough nodes
> AND be able to tie it directly to ONE specific person, w/ a real name &
> physical address?  Are we talking that any 12 yr old w/ the right, free
> software can do this, or "theoretically"?


Maxim Kammerer
Liberté Linux (discussion / support: http://dee.su/liberte-contribute)
tor-talk mailing list