[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Spoofing a browser profile to prevent fingerprinting



Hello everybody,

You know, there are some various methods of fingerprinting a browser.
Plugins and plugin-provided information are still the most useful in
uniquely identifying a browser, but there are also some other
information that can be used to fingerprint a Tor user, like user
agent, screen resolution, time zone, etc.

I think it can be helpful to spoof real browser profile to random
temporary one. Each browser profile includes user-agent (browser
name/version), platform (OS name/version), screen resolution, time
zone (depends on country of an exit-relay, so, perhaps, mismatch of it
can cause suspicion?). So, my suggestion is to generate random browser
profile during each identity session, or randomly switch them after a
chosen period of time has expired. By making this, some important info
about users will be unreachable for an attacker and fingerprinting
will be more difficult.
Here's a link on open-source repository of Firefox add-one which code
we can use for Tor Browser -
https://github.com/dillbyrne/random-agent-spoofer

Also I suggest to:
- forbid HTML5 Canvas by default
(http://cseweb.ucsd.edu/~hovav/dist/canvas.pdf)
- use only standard font set (can be used for fingerprinting)
- set network.http.sendRefererHeader value "0" by default (allows
sites to track referer, but some sites can be broken! add ability to
switch on/off referer?)

Let me know about your thoughts,
Looking forward to hear from you, Pavel.

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk