[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Tor Browser disabling Javascript anonymity set reduction



Thus spake Maxim Kammerer (mk@xxxxxx):

> On Mon, May 14, 2012 at 12:26 AM, Mike Perry <mikeperry@xxxxxxxxxxxxxx> wrote:
> > I do *not* believe we can capture that userbase if we ship a
> > JS-disabled-by-default browser.
> 
> First, I would like to say that I agree that Javascript and other
> popular features (e.g., CSS, HTML5 video) need to be enabled by
> default, since this is what the users expect. It is not 1995 outside,
> and regular web browsing should include the usual capabilities
> expected of it. Not talking here about non-standard, insecure and
> outdated hacks like Flash that need to die, of course.
> 
> All these frequent discussions about Javascript etc., however, revolve
> around an inherent conflict of interest. You (in general â i.e., the
> Tor project) want to attract a large userbase that will benefit the
> Tor network as a whole, and yet there is a sizable core group of users
> who require strong anonymity (not pseudonymity). Yet, by actually
> defining the anonymity set as one using those popular features, you
> basically force that core group to shift from anonymity towards
> pseudonymity once they selectively or completely block Javascript,
> install ad blockers, disable HTML5 extensions, etc. All that while the
> large userbase you want to bring in would be content with
> pseudonymity, yet you do not want them to block ads, for instance.

Well, I don't buy the "we force pseudonymity" argument. I don't believe
that there are that many bits in the CSS and JS fingerprinting vectors
that remain to segment a sizeable userbase size.

If by some chance so few people actually use Tor Browser today that
there *are* enough bits right now, I'd rather focus on growing the
userbase size, instead.

> So why not provide two profiles for the groups? I.e., a Torbutton-like
> interface, but one switching between the two profiles. The regular
> profile is as TBB is now, with a whitelist of approved addons (like
> Ad-Block Plus, I guess), which can update and change their internal
> state (e.g., filter lists) whenever they want. The hardcore profile
> uses a carefully restricted subset of HTML, CSS, Javascript, etc.,
> with a hard-coded list of addons and their internal state. If some
> site doesn't work, the user has a choice to switch to the normal
> profile, but will in that case be aware that his anonymity is most
> likely less anonymous and more pseudonymous now.

I believe you're pretty much going to be left with a fancy browser UI
dressing up something functionally equivalent to lynx (or worse) here,
man.

But if the community wants to step up and implement it for us, I could
see adding a "Text mode browsing" radio button to the 4 options we plan
to transform the Torbutton interface into:
https://trac.torproject.org/projects/tor/ticket/3100

Maybe we can launch a lynx window for you if you click that (if it's
installed).

Otherwise, "patches welcome".

> Otherwise, this continuous patching of an inherently non-anonymous
> solution seems like a task of Sisyphus to me. Consider a site that
> follows user's mouse movement and other unique behavior, and then
> classifies users by that data, for instance. Once some grad student
> implements this approach, and thousands of sites adopt it as a
> reliable fingerprinting technique, what will you do?

Laugh, probably. Academia has a penchant for misrepresenting statistical
results by using small sample sizes and artificially contrived
experiments that make their papers look sexy. Natural consequence of
"pubish or perish" coupled with limited peer review, closed-source
implementations, and unreproducible results. 

But more seriously, Javascript is effectively a VM which is now fully
under our control. From a technical perspective, there's not much there
we can't alter with full control of the browser. We might make mistakes
and/or miss things, but that is the nature of software engineering. We
need better processes in place to deal with that. (We're actively
working on that part. Stay tuned).

However, from a programmer resource perspective, I'm a tad overbooked
(putting it mildly). But that doesn't exactly make me want to jump up
and spend my limited time supporting a text-only mode to browse the web,
either.

I'd rather fix the real problems.


-- 
Mike Perry

Attachment: signature.asc
Description: Digital signature

_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk