[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] New methods / research to detect add-ons?

On 09/29/2015 12:46 PM, pacifica@xxxxxxxxxx wrote:
> Spencer,
> The closest thing I'm aware of to a one-stop-shop to view the factors 
> of your fingerprint would be Valve's fingerprint.js library:
> https://github.com/Valve/fingerprintjs2
> It's definitely not sophisticated enough to meet most Tor users' 
> needs, but it's a good start. It's also well documented and can easily 
> be run locally.
> To answer your question:
>> With this logic, TorBrowser users could select a unique set of add-ons
>> each session, correct?
> It's important to consider TBB's design... which is to make _all_ Tor 
> Browser Bundle users look identical. This provides strong anonymity 
> amongst other TBB users. It does not hide the fact that you're using 
> Tor or the TBB, but attempts to hide you within the group to make each 
> individual difficult to uniquely track. This is also the reason for 
> the recent roll-out of the per-domain circuits, because third-party 
> trackers could collude to correlate traffic and de-anonymize Tor users 
> that way. This is also why Tor Project released the "slider" to pick 
> from a handful of pre-defined security/privacy levels. Because of 
> indirect detection of the myriad of potential browser configurations, 
> individual configurations could inadvertently make people quite 
> unique. So the slider helps to coalesce the potentially huge number of 
> combinations to single digits, assuming that most people will be 
> comfortable with a provided setting.
> First, the default configuration of TBB is sufficient to make 
> cross-session fingerprinting and tracking difficult (not impossible, 
> especially if JS is enabled, but that has trade-offs of its own). 
> Installing unique add-ons each session, would make tracking across 
> sessions a little more difficult (albeit probably easier than the 
> default TBB config since you would be, once again, unique...), at the 
> expense of being unique during that session.
> That practice would be almost universally discouraged, except perhaps 
> for some imaginative fringe cases.
> I think it's well known and understood that "adding add-ons to TBB" = 
> "bad for anonymity", but I'd prefer to know "how bad", instead of just 
> a binary good / bad.
> Perhaps this want to know more resonates with others, and will warrant 
> some research if it's not already been undertaken.

Perhaps one could identify the two or three extensions that might be 
added (e.g. addblock plus, csfire, flashgot, etc.) and study 
<browserspy.dk> with/without the extensions. This could provide the 
(superficial?) quantification of the effects of the various extensions 
that you seek. (obviously do this in temporary VMs, or reinstall a 
"clean" copy after testing)

> All the best,
> pacifica
> On 2015-09-29 16:22, Spencer wrote:
>> Hi,
>>> aka:
>>> Every add-on installed/not installed gives you one more bit of 
>>> detection.
>>> If [x] records you visiting an internet forum via TBB and
>>> leaking something and detect another visitor with the same 3 bits set
>>> looking for a train schedule, they can verify with a high confidence
>>> you posted that message and live in that area.
>>> That's why it's important that every TBB installation has the same
>>> Http-Header values and same add-ons.
>> With this logic, TorBrowser users could select a unique set of add-ons
>> each session, correct?
>>> You don't need any studies, it's simple common knowledge.
>> I second the request for some documented research, even if we do it
>> ourselves.  The first thought I had was a way for people to verify
>> their identity by seeing their fingerprint by visiting a website, or
>> something close to what others might be looking for, though this could
>> also be an off-line thing.
>> Wordlife,
>> Spencer
>>> pacifica@xxxxxxxxxx wrote:
>>>> Hello afternoon / evening / morning tor-talk -- I am hoping that 
>>>> someone
>>>> can point me in the right direction. I know it is well-discussed that
>>>> adding Firefox add-ons to the Tor Browser Bundle decreases anonymity,
>>>> but I would like to review the studies myself. I'm having trouble
>>>> finding credible research where detection of add-ons has resulting 
>>>> in a
>>>> significant decrease in anonymity... can someone please point me to
>>>> those resources?
>>>> To be explicit, I am not concerned with "plug-ins" like Java or Flash,
>>>> but rather "add-ons" like HTTPS everywhere or Privacy Badger.
>>>> Thanks in advance.
>>>> pacifica

tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to