[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: browser fingerprinting - panopticlick



Kyle Williams wrote:
7v5w7go9ub0o wrote:
Andrew Lewman wrote:

On 01/29/2010 08:20 PM, 7v5w7go9ub0o wrote:

As we slowly transition to web 2.0, probably the next step is putting the TOR browser in a VM full of bogus, randomized userid/sysid/network information - carefully firewalled to allow TOR access only (TOR would be running somewhere outside the browser VM).

Already working on that, https://www.torproject.org/torvm/ or pick a live cd with tor integrated into it.


Good to see these projects being developed. IIUC, the TORVM is a tor client; so the TORVM is designed for easy installation, and perhaps to contain any exploit of TOR!?


This was one of the design points of Tor VM; to protect Tor by running it inside a VM, so if your browser in the HOST OS goes bad on
 you Tor would be protected inside the VM.

Guess I was thinking of a different approach: putting Firefox in a VM and just letting it go ahead and get crazy with flash, JS, cookies (.. I have tired of tweaking NoScript, RequestPolicy, and CS Lite all the time.....). TOR is running in a chroot jail on the "regular" OS, connected by network.

JS/Flash will presumably look for unique or geographic information
within the VM and will get only bogus stuff which is cleaned and randomized every few minutes, along with cookies and caches. DNS is "unbound", elsewhere on the internal network, and has protection against many of the "DNS tricks". FWICT the obtainable network information all reflects the virtual Ethernet.


You may want to take a look at another project I've had out for a few
months, but haven't really made much light of it. Chromium Browser VM http://www.janusvm.com/chromium_vm/

The name says it all. It's Chromium running inside a VM. Unlike traditional VMs, this VM attempts to make the browser feel like a native application to the HOST OS even though it's running inside the VM. If you open a "Incognito" session with Chromium, it does a pretty good job at protecting your privacy with regards to your history and cookies, preventing the disclosure of what sites you've visited on the Internet (tested against JS & CSS). Check it out.

You can run it in different modes: - Exported browser display (default) - Exported browser display with plugins disabled - Browser in a local X server (inside the VM's window or as a boot CD.) - Browser in a local X server with plugins disabled (inside the VM's window or as a boot CD.) - All the above options + Tor

The ISO is also bootable from a CD-ROM, just burn it, boot it, and choose a boot option with "Local X Server". It uses the same drivers turnkey linux (aka: Ubuntu 8.04). So it's over kill for driver support from the VM stand point, but it's good as bootable CD for lots of different hardware vendors.


Dang!   This makes a lot of sense! A fast, "throwaway" browser, quickly
(instantly?) reloaded in a virgin state - as opposed to the traditional
approach of a heavily-protected Firefox remaining in memory for a while.

As you know, on Linux one simply QEMU/KVMs the .iso on storage; dead easy.

I'd guess there is reluctance to try it, as many believe that Google is
satan and fear that there is home-phoning to the "cloud" going on with
Chromium. Of course, running it in a well-firewalled, standardized VM
may render that information meaningless, and any reporting outside of
TOR impossible.

[]

Against the EFF's new fingerprinting tool, this browser VM masks most
of your real attributes, but fails when it comes your screen size. Interestingly, the color depth was off and reported 24 when should be 32. BTW, the performance benchmarks with this browser inside (or outside) a VM smoke FF and IE hands down. Kudos to Google. :)

Got a copy; gonna give it a try!

(FWIW, Have had good luck with a hardened-Gentoo FF QEMU/KVM VM, except
for graphics which suck. Once they/I figure out how to get GPU
pass-through, I'll do routine browsing - including flash/silverlight
streaming - in it. IIUC chromium does html5 video; will see if I can
get some html5 pass-through video streaming out of your .iso (though,
obviously, not through TOR.)



***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/