On Mon, Oct 05, 2015 at 03:47:35PM -0700, Spencer wrote: > Yes, but discrimination is unsupported and avoidable.
Discrimination happens between you and your endpoint, not between you and Tor. It may be that a exit discriminates, if you request a destination port that isn't available on some exits. Tor tries to find a exit that allows it. The exit policies are basically there to protect you from doing stupid things, or to give relay operators the oppurtunity of running relays in environments that impose restrictions on them. I operate some little meshy public wifi for homeless people and I have the same restrictions in place, less cleartext protocols and you can't use smtp on port 25. Since I offer only locationbased access to "proven" homeless people, I have less complications. The Tor-Network, basically exonerates itself, without compromising the users anonymity. > > If you try to spoof > No spoof. Well, than lets call it masquerading. You just add bits to the fingerprint occansionally: Bad idea. Can be done without TBB already. > > If you'd read the TBB design doc, > Quite the presumption :( Well, you understand the rationale behind the decison the TBB developers made and I don't need to elaborate. > And as a result, Tor Browser owns up to its ID with no spoofing, as Tor > Browser users appear a Tor Browser users. Yeah, and that is awesome, because I can clearly distinguish between Tor Users and defunct scrapers, and Tor-Users that are using proxy chains or proxy cascades, to circumvent policies that the exit-operators/Tor impose on them. Also awesome for me, and for you too, in case you acciddenlty use cleartext protocols. > Or using the internet. What if the OP is tired of being rejected from > visiting sites due to IP badlists and uses said proxy to appear like a > clearnet user so as not to be restricted. Google products (except for > Google Images) require this. Ix Quick and Startpage feature this. Tor isn't responsible for that, it's a problem between your endpoint and you, not between you and Tor. I can't say much about specific services, but ixquick and startpage work flawlessly for me, maybe OP should stop using open proxies and re-evaluate his situation with TBB only? May use the "News Identity Button" more often? For services, that really limit you, you basically limit yourself to that service, so you are barking up the wrong tree imho. Tor doesn't entitle you to use a specific service, it provides an anonymized connection - thats another basic misconception from you both. So nothing to really discuss here. > Discussed It would be a disccsusion, if it would present something. You, both, basically annoy/complain or insist without presenting anything at all. There are no technical specifics neither any argument, theory, proposal or proof that your basic idea to implement a array of changes into TBB gives anynody any advantage, it could be discussed like this (that is what I added earlier): "By syncing the User-Agent to TrackHostExitsExpire we can further thwart detection rates for TBB's http requests. Find a attached a patch for the plugin, that communicates state-information from the user's cookies, stored in litesql, via the control-port to Tor's circuit establishing and reuse logic. Also, included is a patch for TBB that implements behavior and responses for current mainstream browsers on major operating systems allowing TBB to exhibit the same behavior when used with TLS and three new javascript engines, to normalize the internal behavior and thwart timing attacks against the current." And I'd argue: Nice proposal, you can still detect Tor by matching the originating IP against the table of known exit nodes, so there is not really a benefit to that, it is just adding more crap to the browser. And you/your co-proponent say: Yeah, we also have and use proxy chains. As elaborated before that makes you more trackable, and bascially I think the exit-ports policies are there, because the exit operators put them there, so why circumvent them? The only result, as many have pointed out, is less anonymity. You both are stating: Well we can't look at cat pictures anymore. That is what I recall. Bascially, no rationale why using proxies. You can use them without tor, if you don't need the censorship circumvention property. The result in privacy in relation to the endpoint is the same. > Will you link to the use cases and threat models in the documentation? Anonymity online and censorship circumvention, the threatmodel is the same for Tor. FYI, TBB is only a browser that is more hardwired to Tor and a plugin. If you haven't read the many specs: https://gitweb.torproject.org/ > > You fail to understand > Fail often to succeed sooner :) The yoda voice in my head says: On failing much he focuses a lot. I feel like Obi Wan when discussing young Skywalker, and we both know were that ended. Aynway, a lame excuse, try being part of the solution instead of the problem. Bascially you both blame either Tor for something that is a agreement between you and your endpoint. Or, anonymous folks abuse Tor with the consequnece you can't access a service via Tor. Which isn't solvable with pleasantries or easyness. If you continue that thought, you start argumenting for backdoors in Tor pretty soon. BTDT. > My thought is that this is being mentioned in multiple places and, if > there is any merit to undetectability, we should challenge it fully to > see; not settle with what we have and use "good enough" as an argument. > I suggested a formal proposal as the next step. The misconception or flaw is, that you believe there is something like stealth internet, or more stealth internet. You also fail to comprehend that the detected anonymity is what Tor users want to achieve. Even with malicous exits, rogue bridges and compromised middles, it is still pretty hard to corellate traffic from Tor to indivual users. Most users want exact that property, and are often fine with the restrictions. On the other hand, there is no need to use Tor 24/7. I recommend understanding Kerckhoff's Law and Zooko's Trianle, that methods of being secretive have to work, even if they are fully understood (by an adversary) and that are situation wereyou can't have all the properties you want, you choose the most meaningful. What Tor and TBB achieve, I know every node in the network, still all users are anonymous to me. Hidden service names are best described clunky, but there is lots of potential for distributed, decentralized approaches with them. Your idea, may work for a short timeframe, thats the best case, until an adversary figures out how it works, he will then deny you again and again, you adding bits to anonymity again and again. A futile and ill conceived idea, or another perspective on that, all the easy problems have already been solved. TBB is more or less the icing. What you both want or trying to achieve and propose is possible by using Tor with a browser of your choice, lets assume Firefox and Addons that make little changes, should be perfectly fine for your idea of less anonymity. You should re-read your Knuth, the part about optimizing and the prematureness of it, along with the original proposals against fingerprinting and adding bits to it (what is bascially what you try to do). Also https://trac.torproject.org/projects/tor has a lot of ideas for you, basically https://trac.torproject.org/projects/tor/wiki/org/projects/WeSupportTor https://trac.torproject.org/projects/tor/wiki/org/doc/ListOfServicesBlockingTor I'd recommend to write a patch instead of a proposal, if you really find a solution, but since https://git.torproject.org/tor-browser.git can't be cloned at the moment I am not doing this. On another note, you are imposing youself onto a service, that may have choosen not to work with Tor, maybe you should iterate about that too and which implications your actions would have to other participants or the network? I really feel, you both are falling short on that angle. Cheers. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
