[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] New methods / research to detect add-ons?


The closest thing I'm aware of to a one-stop-shop to view the factors of your fingerprint would be Valve's fingerprint.js library:


It's definitely not sophisticated enough to meet most Tor users' needs, but it's a good start. It's also well documented and can easily be run locally.

To answer your question:

With this logic, TorBrowser users could select a unique set of add-ons
each session, correct?

It's important to consider TBB's design... which is to make _all_ Tor Browser Bundle users look identical. This provides strong anonymity amongst other TBB users. It does not hide the fact that you're using Tor or the TBB, but attempts to hide you within the group to make each individual difficult to uniquely track. This is also the reason for the recent roll-out of the per-domain circuits, because third-party trackers could collude to correlate traffic and de-anonymize Tor users that way. This is also why Tor Project released the "slider" to pick from a handful of pre-defined security/privacy levels. Because of indirect detection of the myriad of potential browser configurations, individual configurations could inadvertently make people quite unique. So the slider helps to coalesce the potentially huge number of combinations to single digits, assuming that most people will be comfortable with a provided setting.

First, the default configuration of TBB is sufficient to make cross-session fingerprinting and tracking difficult (not impossible, especially if JS is enabled, but that has trade-offs of its own). Installing unique add-ons each session, would make tracking across sessions a little more difficult (albeit probably easier than the default TBB config since you would be, once again, unique...), at the expense of being unique during that session.

That practice would be almost universally discouraged, except perhaps for some imaginative fringe cases.

I think it's well known and understood that "adding add-ons to TBB" = "bad for anonymity", but I'd prefer to know "how bad", instead of just a binary good / bad.

Perhaps this want to know more resonates with others, and will warrant some research if it's not already been undertaken.

All the best,


On 2015-09-29 16:22, Spencer wrote:

Every add-on installed/not installed gives you one more bit of detection.

If [x] records you visiting an internet forum via TBB and
leaking something and detect another visitor with the same 3 bits set
looking for a train schedule, they can verify with a high confidence
you posted that message and live in that area.
That's why it's important that every TBB installation has the same
Http-Header values and same add-ons.

With this logic, TorBrowser users could select a unique set of add-ons
each session, correct?

You don't need any studies, it's simple common knowledge.

I second the request for some documented research, even if we do it
ourselves.  The first thought I had was a way for people to verify
their identity by seeing their fingerprint by visiting a website, or
something close to what others might be looking for, though this could
also be an off-line thing.


pacifica@xxxxxxxxxx wrote:
Hello afternoon / evening / morning tor-talk -- I am hoping that someone
can point me in the right direction. I know it is well-discussed that
adding Firefox add-ons to the Tor Browser Bundle decreases anonymity,
but I would like to review the studies myself. I'm having trouble
finding credible research where detection of add-ons has resulting in a
significant decrease in anonymity... can someone please point me to
those resources?

To be explicit, I am not concerned with "plug-ins" like Java or Flash,
but rather "add-ons" like HTTPS everywhere or Privacy Badger.

Thanks in advance.


tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to