Mirimir: > With scripts allowed globally, Panopticlick sees another 2-3 bits. I > suspect that much of the additional information is also the same for all > Tor browsers, given what I've read about Tor-specific tweaks. If that's > the case, this isn't a major issue. That's not necessarily the case. But anyway, the current Panopticlick is not a good way to test for Tor Browser uniqueness[1] (and see below). > What is a major issue is the risk of being exploited through a > JavaScript vulnerability. And that's why I always block scripts. Note that we disable a bunch of JIT related preferences to mitigate that risk[2] and are investing efforts in getting hardened builds deployed[3]. > The risk from doing that, of course, is that each user will tend to > customize their NoScript profile in a distinct way. And that will allow > websites to tell them apart. > > Even so, Panopticlick can't report anything about that. For that, one > would need a version of Panopticlick that's restricted to assessing and > comparing Tor browser profiles. Right? Yes. There are plans for one which is helpful in this regard[4][5]. Georg [1] https://bugs.torproject.org/6119 [2] https://bugs.torproject.org/9387#comment:17 [3] https://bugs.torproject.org/10599 [4] https://www.torproject.org/getinvolved/volunteer.html.en#panopticlick [5] https://lists.torproject.org/pipermail/tor-dev/2014-March/006486.html
Attachment:
signature.asc
Description: OpenPGP digital signature
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk