[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Making TBB undetectable!

On Mon, Oct 05, 2015 at 02:14:11AM -0700, Spencer wrote:
> The various bits that define your fingerprint.

That makes only sense if you sync your clients requests
to TrackHostExitsExpire, the effect on CDNs that stick
lots of cookies to you, is that what happens to the folks
in the cloudflare thread, any automatic observer will
diagnose these clients requests for a defunct scraper
and force human interaction proof.

Basically, the countermeasure against such behavior is
to stick a cookie with an hash of your fingerprint
to your browser and deny you, as soon as it no longer

If you try to spoof any plugin, you forget that, the
presence of a plugin is easy to check, lets assume
we spoof the very popular flashplugin (ewww):
The countermeasure is the same as above, a site
gives you some .swf with a obfuscated redirector inside.
Since you only accept the .swf and discard it your
adversary knows that you fake this bits and denies
you again.

As soon as you turn on javascript, nearly every bit
of your browser is easy to verify, and requesting
with user-agent A in the http-header and stating
that appName is B does look a little bit suspicious.

> No need to spoof traffic if using real fingerprint variables.

If you'd read the TBB design doc, you'd understand that the
choice that was made, using a pretty real and pretty common
user-agent, and some measures were added.

> I feel like behavior will address the examples for this argument.

The case, that OP describes, is that he is using tor to connect
to another semi-public entity (like an open proxy) and likes
to hide the fact, that he is using Tor/TBB.

The only case, were that makes sense to me is for trolling sites,
that aren't available via Tor anymore, were the preference for
anonymity is less than trolling those sites, or that is the
impression I get.
> True, but we can come up with other ideas than using the public Tor 
> exits.

You still can use tor, the standalone OR, and any browser you
like, if you are so unhappy with TBB. The demanded feature makes
absolutly no sense for a TBB usecase or threatmodel.

You will notice, that if you start to do this, you are uniquely
fingerprintable just try to trick the
https://check.torproject.org/ in stating that you are using
TBB while using another browser, lets say Chrome, with
enabled scripts.

You fail to understand that TBB is a convenient solution,
that is build so humans can circumvent censorship and
achieve a pretty high degree in anonymity while using Tor.

If you really must use non-tor exits, for whatever reason,
access them as a hidden-service, that makes much more sense. 
If you can, for example, use only bridges and like to use
a vpn to achieve a high degree of privacy to a given endpoint.

But since OP uses open proxies, I really doubt he wants/needs some
of the features that Tor actually provides. ;)
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to