[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Tor Project Idea | GSOC 2015 | Panopticlick | fake fingerprint

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] Tor Project Idea | GSOC 2015 | Panopticlick | fake fingerprint
From: Gunes Acar <gunes.acar@xxxxxxxxxxxxxxxx>
Date: Thu, 12 Feb 2015 18:48:40 +0100
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 12 Feb 2015 12:49:49 -0500
In-reply-to: <20150212171244.131F8A0112@xxxxxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <20150212171244.131F8A0112@xxxxxxxxxxxxxxxxx>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Icedove/31.4.0

Hi Rohit,

Please check the ticket #11949 and the comment by Georg:
https://trac.torproject.org/projects/tor/ticket/11949#comment:1

TL;DR research on the advantages of randomization over the current
approach (making everyone look like same) may be useful before starting
with the actual implementation.

Also, please check this thread on the limitations of JS hooks:
https://lists.torproject.org/pipermail/tbb-dev/2014-June/000073.html

You can fool some fingerprinters by spoofing browser properties but more
advanced scripts can easily uncover the real browser/device attributes
by checking specific functionality [1] or using "side-channels" [2].

[1] see, "Evolution of functionality" subsection on
https://seclab.cs.ucsb.edu/media/uploads/papers/sp2013_cookieless.pdf#page=10

[2] https://bugzilla.mozilla.org/show_bug.cgi?id=418986, see, esp.
Camillo's test vectors.

Gunes

On 02/12/2015 06:12 PM, l.m wrote:
> Hi,
> 
> For anonymous scraping it could certainly be useful. This poses a
> problem as far as making Tor Project look as if it supports autonomous
> anonymous scraping of web data. Ultimately this impression could lead to
> even more blocking of Tor exits. Another problem with the idea of a
> randomized fingerprint is that it breaks useability. It might be great
> for scraping but web sites rely on knowing some of those parameters for
> proper display. Finally it's worth mentioning that the goal of TBB
> fingerprinting is to reduce entropy within TBB's user base. A random
> fingerprint violates this constraint.
> 
> I'm not commenting on gsoc eligibility
+1
--just that it's an edge case
> which will lead to blocking of Tor's exits. If more exit get blocked
> then you cannot scrape.
> 
> --leeroy
> 
> 
> _______________________________________________
> tor-dev mailing list
> tor-dev@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
> 

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Follow-Ups:
- Re: [tor-dev] Tor Project Idea | GSOC 2015 | Panopticlick | fake fingerprint
  - From: Rohit Dua

References:
- Re: [tor-dev] Tor Project Idea | GSOC 2015 | Panopticlick | fake fingerprint
  - From: l.m

Prev by Author: Re: [tor-dev] Research repository [was: Master's Thesis]
Next by Author: Re: [tor-dev] Best way to client-side detect Tor user without using check.tpo ?
Previous by thread: Re: [tor-dev] Tor Project Idea | GSOC 2015 | Panopticlick | fake fingerprint
Next by thread: Re: [tor-dev] Tor Project Idea | GSOC 2015 | Panopticlick | fake fingerprint
Index(es):
- Author
- Thread