[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Basic questions from new user but...

On 5/11/2012 7:21 AM, Maxim Kammerer wrote:
On Fri, May 11, 2012 at 2:36 AM, Joe Btfsplk<joebtfsplk@xxxxxxx>  wrote:
Isn't this approach very much a double edged sword?  From the link:
However, we recommend that even users who know how to use NoScript leave
JavaScript enabled if possible, because a website or exit node can easily
distinguish users who disable JavaScript from users who use Tor Browser
bundle with its default settings (thus users who disable JavaScript are less
It may be true that changing settings makes one's profile different, but
from all I've ever read, java script is responsible for more malicious
browser attacks than anything.  That's not so good.
Javascript atacks are, however, out of the scope for anonymity
research. The anonymity set reduction above, while purely theoretical
and of no practical significance, is in that scope. It's a typical
case of project focus shifting priorities to user's disadvantage.
Moreover, if many users turn Javascript off often, it is quite
possible that turning it off offers more (theoretical) anonymity due
to the possibility of fingerprinting users' browser versions by
browsers' respective Javascript quirks.
I'm guessing a large # of above avg to advanced TBB users are turning off js in No Script - at least some times. Problem is, Tor Project has no way of knowing the #s, so no way to quantify (even theoretically) how much it increases their browser uniqueness.

Can someone explain to non-Tor network experts in layman's terms (25 words
or<  ) :D, what exactly some one / entity HAS to be able to do in order to
profile that Joe has java script disabled,&  then be able to tie it to MY
(dynamic) IP address - at * that * moment (an address that could change
anytime), or to me physically, sitting here at 123 Oak St., Bumfk, ND?
It is not possible — anonymity set reduction only shifts your
anonymity towards pseudonymity. I would guess that most browser users
do not need true anonymity, however, and are fine with pseudonymity.

Then, what are the REAL world odds that out of all the exit nodes traffic,
which are constantly changing users, that someone can monitor enough nodes
AND be able to tie it directly to ONE specific person, w/ a real name&
physical address?  Are we talking that any 12 yr old w/ the right, free
software can do this, or "theoretically"?
I don't know if your answers are totally / partly / not correct, but they are similar to my limited understanding & gut feeling. PERHAPS if the adversary is a hostile nation w/ complete monitoring of entire internet traffic, ability to search ALL ISP's records / logs AND resources & inclination to track down one user that has js turned off, because he accessed a "forbidden" web site, the previously posed scenarios might be a threat. I don't know & certainly don't know how hard it would be, even for a nation, devoting those kinds of resources & time. I'm NOT saying it's next to impossible - I'm asking.

Due to the ever increasing electronic internet monitoring activities of LEOs in the U.S., I'm sure most would be surprised at their capabilities. If * * * making changes to TBB settings, addons, etc, poses a REAL risk, it might be a good idea for Tor devs to put a warning in big, red letters on the browser start page & on the Tor Project TBB main & d/l pages. Perhaps links to, in laymans' terms how making any changes from default TBB settings, what so ever, could lead authorities to your door. I'm sincere - if it's that much of a risk, the current info / docs aren't nearly prominent or clear enough. If it's not that much of a REAL risk, that should be explained also - how / when it MIGHT become a real risk.

tor-talk mailing list