[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: browser fingerprinting - panopticlick



7v5w7go9ub0o wrote:
> Andrew Lewman wrote:
>   
>> On 01/29/2010 08:20 PM, 7v5w7go9ub0o wrote:
>>     
>>> As we slowly transition to web 2.0, probably the next step is 
>>> putting the TOR browser in a VM full of bogus, randomized 
>>> userid/sysid/network information - carefully firewalled to allow 
>>> TOR access only (TOR would be running somewhere outside the browser
>>>  VM).
>>>       
>> Already working on that, https://www.torproject.org/torvm/ or pick a
>>  live cd with tor integrated into it.
>>
>>     
>
> Good to see these projects being developed. IIUC, the TORVM is a tor client;
> so the TORVM is designed for easy installation, and perhaps to contain
> any exploit of TOR!?
>
>   
This was one of the design points of Tor VM; to protect Tor by running
it inside a VM, so if your browser in the HOST OS goes bad on you Tor
would be protected inside the VM.

> Guess I was thinking of a different approach: putting Firefox in a VM
> and just letting it go ahead and get crazy with flash, JS, cookies (.. I
> have tired of tweaking NoScript, RequestPolicy, and CS Lite all the
> time.....).   TOR is running in a chroot jail on the "regular" OS,
> connected by network.
>
> JS/Flash will presumably look for unique or geographic information
> within the VM and will get only bogus stuff which is cleaned and
> randomized every few minutes, along with cookies and caches. DNS is
> "unbound", elsewhere on the internal network, and has protection against
> many of the "DNS tricks". FWICT the obtainable network information all
> reflects the virtual Ethernet.
>
>   
You may want to take a look at another project I've had out for a few
months, but haven't really made much light of it.
Chromium Browser VM
http://www.janusvm.com/chromium_vm/

The name says it all.  It's Chromium running inside a VM.  Unlike
traditional VMs, this VM attempts to make the browser feel like a native
application to the HOST OS even though it's running inside the VM.  If
you open a "Incognito" session with Chromium, it does a pretty good job
at protecting your privacy with regards to your history and cookies,
preventing the disclosure of what sites you've visited on the Internet
(tested against JS & CSS).  Check it out.

You can run it in different modes:
- Exported browser display (default)
- Exported browser display with plugins disabled
- Browser in a local X server (inside the VM's window or as a boot CD.)
- Browser in a local X server with plugins disabled (inside the VM's
window or as a boot CD.)
- All the above options + Tor

The ISO is also bootable from a CD-ROM, just burn it, boot it, and
choose a boot option with "Local X Server".  It uses the same drivers
turnkey linux (aka: Ubuntu 8.04).
So it's over kill for driver support from the VM stand point, but it's
good as bootable CD for lots of different hardware vendors.

> Any "infections" would be temporary, as the VM is set to make temporary
> changes only; am using VNC to control it and to transfer any permanent
> data back and forth between it and the "regular" OS.
>
>   
Exactly.  That's why the OS for the VM is in ISO format, so it is
treated the same as a read-only CD.  Everytime you reboot or start up
the VM, you know it's running from a known clean state.
> I suspect others have similar approaches under way!?   It would be nice
> to have a list somewhere of all of the "compromising" files and data
> available to flash/silverlight/JS - by OS - so that those running VMs
> know what to randomize (I presume Linux would be easier to contain than
> Windows).
>
>   
Against the EFF's new fingerprinting tool, this browser VM masks most of
your real attributes, but fails when it comes your screen size. 
Interestingly, the color depth was off and reported 24 when should be
32.  BTW, the performance benchmarks with this browser inside (or
outside) a VM smoke FF and IE hands down.  Kudos to Google. :)


- Kyle
***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/