On 7/28/2014 3:34 PM, Craw wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Thank you for your answer!
I've just thought a bit about various methods to prevent
fingerprinting browser profile (incl. UA/screen resolution/time
zone/fonts/etc.), and here is two ways I've found:
a) all tor-users have the same browser profile
b) all tor-users have random temporary browser profile
In my opinion our current strategy to reduce among all tor-users
fingerprintable differences is correct. In such case the only that can
an attacker do to determine one user from other is their Tor IP
address, but if you will often change between them it becomes
impossible for the attacker.
And for variant b), it's much easier to do. A lot of users connect to
web-sites from one exit-relay and have the same Tor IP address, but
different profiles. So even if you will randomly generate new profile
every minute, you have your unique profile so the attacker can easily
determine: this actions made by different users. In contrary, when
everybody has the same profile, it's much harder to do.
This is all interesting, but I'm still concerned that the use / non use
/ intermittent use of java script still stares TBB users in the face.
And it seems like the family secret no one wants to discuss.
As outlined in the TBB FAQ, there are distinct drawbacks - no matter how
js is approached.
Whether it's always allowed, (almost) never allowed, or configured per
site - all 3 have distinct cons.
One problem is, there's no "ruling" from Tor devs. One reason for that
is disabling it breaks lots of sites.
But unless the MUCH greater amount of fingerprinting data that's
available when JS * IS * enabled is not enough to be concerned about (I
can't imagine that), then it may not matter how well * some *other data
are concealed.
Plus, unless you go to only a few sites that require no JS, you have to
turn it on - at least some.
But, enabling JS allows sites to get FAR more info & allows trackers to
compare that fingerprint to other sites you visit (unless you change the
fingerprint between each site).
And supposedly leaving JS off (if possible) distinguishes you from other
TBB users that leave NoScript at the default setting.
--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
