[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] New methods / research to detect add-ons?

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] New methods / research to detect add-ons?
From: 7v5w7go9ub0o <7v5w7go9ub0o@xxxxxxxxx>
Date: Tue, 29 Sep 2015 13:19:53 -0400
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 29 Sep 2015 13:21:03 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:to:subject:references:in-reply-to; bh=p0vHwR9qWzFX4Jqj9/TNEd/DN+9BIjlPpcpdKbQzQCg=; b=wq3bVUSGANGLSLS9NV7YnUmMCepmgZcuEdOdS9sFjGlDvA+xeqnNa3kXwDNmyIaXEs tbbB9EroB2CkT2XQb8XkNC3bsdDClxp+UQIJQz4fOpXxx3YhIEk6oHMRsi/tm/m0hleN mdJXUgOnzmgBt+uHvfeCZJG6+G0m5RMBkbY0IqWVQpmMHykViLWlmVXc4wU3faCsoEUs lYWHa3/QKEB821G6nUf3Y1s1+M5uvKYx8u/T7kseuwhDB8vEU+7CFothe6FnDMIw9/af ySst56BkSqolhKp8lM87qqHPep6sP4737ZHUG7rJyhy0OFVYFFfsw4agd2kukyew8aM7 nH5w==
In-reply-to: <6443adb268747e3dbe05ac1d4251c04b@xxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <7757388edf9790a0fad5afca48569b52@xxxxxxxxxx> <560AAAC9.4020001@xxxxxxxxx> <ee34ac587b5477071f4942da8b772079@xxxxxxxxxxxxxxx> <6443adb268747e3dbe05ac1d4251c04b@xxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>


On 09/29/2015 12:46 PM, pacifica@xxxxxxxxxx wrote:
> Spencer,
>
> The closest thing I'm aware of to a one-stop-shop to view the factors 
> of your fingerprint would be Valve's fingerprint.js library:
>
> https://github.com/Valve/fingerprintjs2
>
> It's definitely not sophisticated enough to meet most Tor users' 
> needs, but it's a good start. It's also well documented and can easily 
> be run locally.
>
> To answer your question:
>
>> With this logic, TorBrowser users could select a unique set of add-ons
>> each session, correct?
>
> It's important to consider TBB's design... which is to make _all_ Tor 
> Browser Bundle users look identical. This provides strong anonymity 
> amongst other TBB users. It does not hide the fact that you're using 
> Tor or the TBB, but attempts to hide you within the group to make each 
> individual difficult to uniquely track. This is also the reason for 
> the recent roll-out of the per-domain circuits, because third-party 
> trackers could collude to correlate traffic and de-anonymize Tor users 
> that way. This is also why Tor Project released the "slider" to pick 
> from a handful of pre-defined security/privacy levels. Because of 
> indirect detection of the myriad of potential browser configurations, 
> individual configurations could inadvertently make people quite 
> unique. So the slider helps to coalesce the potentially huge number of 
> combinations to single digits, assuming that most people will be 
> comfortable with a provided setting.
>
> First, the default configuration of TBB is sufficient to make 
> cross-session fingerprinting and tracking difficult (not impossible, 
> especially if JS is enabled, but that has trade-offs of its own). 
> Installing unique add-ons each session, would make tracking across 
> sessions a little more difficult (albeit probably easier than the 
> default TBB config since you would be, once again, unique...), at the 
> expense of being unique during that session.
>
> That practice would be almost universally discouraged, except perhaps 
> for some imaginative fringe cases.
>
> I think it's well known and understood that "adding add-ons to TBB" = 
> "bad for anonymity", but I'd prefer to know "how bad", instead of just 
> a binary good / bad.
>
> Perhaps this want to know more resonates with others, and will warrant 
> some research if it's not already been undertaken.
>


Perhaps one could identify the two or three extensions that might be 
added (e.g. addblock plus, csfire, flashgot, etc.) and study 
<browserspy.dk> with/without the extensions. This could provide the 
(superficial?) quantification of the effects of the various extensions 
that you seek. (obviously do this in temporary VMs, or reinstall a 
"clean" copy after testing)




> All the best,
>
> pacifica
>
> On 2015-09-29 16:22, Spencer wrote:
>> Hi,
>>
>>>
>>> aka:
>>> Every add-on installed/not installed gives you one more bit of 
>>> detection.
>>>
>>> If [x] records you visiting an internet forum via TBB and
>>> leaking something and detect another visitor with the same 3 bits set
>>> looking for a train schedule, they can verify with a high confidence
>>> you posted that message and live in that area.
>>> That's why it's important that every TBB installation has the same
>>> Http-Header values and same add-ons.
>>>
>>
>> With this logic, TorBrowser users could select a unique set of add-ons
>> each session, correct?
>>
>>>
>>> You don't need any studies, it's simple common knowledge.
>>>
>>
>> I second the request for some documented research, even if we do it
>> ourselves.  The first thought I had was a way for people to verify
>> their identity by seeing their fingerprint by visiting a website, or
>> something close to what others might be looking for, though this could
>> also be an off-line thing.
>>
>> Wordlife,
>> Spencer
>>
>>
>>
>>
>>> pacifica@xxxxxxxxxx wrote:
>>>> Hello afternoon / evening / morning tor-talk -- I am hoping that 
>>>> someone
>>>> can point me in the right direction. I know it is well-discussed that
>>>> adding Firefox add-ons to the Tor Browser Bundle decreases anonymity,
>>>> but I would like to review the studies myself. I'm having trouble
>>>> finding credible research where detection of add-ons has resulting 
>>>> in a
>>>> significant decrease in anonymity... can someone please point me to
>>>> those resources?
>>>>
>>>> To be explicit, I am not concerned with "plug-ins" like Java or Flash,
>>>> but rather "add-ons" like HTTPS everywhere or Privacy Badger.
>>>>
>>>> Thanks in advance.
>>>>
>>>> pacifica
>

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- [tor-talk] New methods / research to detect add-ons?
  - From: pacifica
- Re: [tor-talk] New methods / research to detect add-ons?
  - From: aka
- [tor-talk] New methods / research to detect add-ons?
  - From: Spencer
- Re: [tor-talk] New methods / research to detect add-ons?
  - From: pacifica

Prev by Author: [tor-talk] Design improvements
Next by Author: Re: [tor-talk] p2p(skype and other VOIP) blocked in .UZ
Previous by thread: Re: [tor-talk] New methods / research to detect add-ons?
Next by thread: Re: [tor-talk] New methods / research to detect add-ons?
Index(es):
- Author
- Thread