On Mon, Oct 05, 2015 at 02:14:11AM -0700, Spencer wrote: > The various bits that define your fingerprint.
That makes only sense if you sync your clients requests to TrackHostExitsExpire, the effect on CDNs that stick lots of cookies to you, is that what happens to the folks in the cloudflare thread, any automatic observer will diagnose these clients requests for a defunct scraper and force human interaction proof. Basically, the countermeasure against such behavior is to stick a cookie with an hash of your fingerprint to your browser and deny you, as soon as it no longer matches. If you try to spoof any plugin, you forget that, the presence of a plugin is easy to check, lets assume we spoof the very popular flashplugin (ewww): The countermeasure is the same as above, a site gives you some .swf with a obfuscated redirector inside. Since you only accept the .swf and discard it your adversary knows that you fake this bits and denies you again. As soon as you turn on javascript, nearly every bit of your browser is easy to verify, and requesting with user-agent A in the http-header and stating that appName is B does look a little bit suspicious. > No need to spoof traffic if using real fingerprint variables. If you'd read the TBB design doc, you'd understand that the choice that was made, using a pretty real and pretty common user-agent, and some measures were added. > I feel like behavior will address the examples for this argument. The case, that OP describes, is that he is using tor to connect to another semi-public entity (like an open proxy) and likes to hide the fact, that he is using Tor/TBB. The only case, were that makes sense to me is for trolling sites, that aren't available via Tor anymore, were the preference for anonymity is less than trolling those sites, or that is the impression I get. > True, but we can come up with other ideas than using the public Tor > exits. You still can use tor, the standalone OR, and any browser you like, if you are so unhappy with TBB. The demanded feature makes absolutly no sense for a TBB usecase or threatmodel. You will notice, that if you start to do this, you are uniquely fingerprintable just try to trick the https://check.torproject.org/ in stating that you are using TBB while using another browser, lets say Chrome, with enabled scripts. You fail to understand that TBB is a convenient solution, that is build so humans can circumvent censorship and achieve a pretty high degree in anonymity while using Tor. If you really must use non-tor exits, for whatever reason, access them as a hidden-service, that makes much more sense. If you can, for example, use only bridges and like to use a vpn to achieve a high degree of privacy to a given endpoint. But since OP uses open proxies, I really doubt he wants/needs some of the features that Tor actually provides. ;) -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
