[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Tor Project Idea | GSOC 2015 | Panopticlick | fake fingerprint



Hi Rohit,

Please check the ticket #11949 and the comment by Georg:
https://trac.torproject.org/projects/tor/ticket/11949#comment:1

TL;DR research on the advantages of randomization over the current
approach (making everyone look like same) may be useful before starting
with the actual implementation.

Also, please check this thread on the limitations of JS hooks:
https://lists.torproject.org/pipermail/tbb-dev/2014-June/000073.html

You can fool some fingerprinters by spoofing browser properties but more
advanced scripts can easily uncover the real browser/device attributes
by checking specific functionality [1] or using "side-channels" [2].

[1] see, "Evolution of functionality" subsection on
https://seclab.cs.ucsb.edu/media/uploads/papers/sp2013_cookieless.pdf#page=10

[2] https://bugzilla.mozilla.org/show_bug.cgi?id=418986, see, esp.
Camillo's test vectors.

Gunes

On 02/12/2015 06:12 PM, l.m wrote:
> Hi,
> 
> For anonymous scraping it could certainly be useful. This poses a
> problem as far as making Tor Project look as if it supports autonomous
> anonymous scraping of web data. Ultimately this impression could lead to
> even more blocking of Tor exits. Another problem with the idea of a
> randomized fingerprint is that it breaks useability. It might be great
> for scraping but web sites rely on knowing some of those parameters for
> proper display. Finally it's worth mentioning that the goal of TBB
> fingerprinting is to reduce entropy within TBB's user base. A random
> fingerprint violates this constraint.
> 
> I'm not commenting on gsoc eligibility
+1
--just that it's an edge case
> which will lead to blocking of Tor's exits. If more exit get blocked
> then you cannot scrape.
> 
> --leeroy
> 
> 
> _______________________________________________
> tor-dev mailing list
> tor-dev@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
> 

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev