[tor-talk] Spoofing a browser profile to prevent fingerprinting

Aymeric Vitte vitteaymeric at gmail.com
Tue Jul 29 09:00:13 UTC 2014 

If think the issue is quasi unsolvable, unless you request "the Web" to 
revert to something clean and remove whatever it has invented to track 
and fingerprint you, that's not really an issue about js, that's an 
issue about major specifications leaded by major companies specifying 
what fit to their needs.

Or unless you use something like http://www.ianonym.com, it was designed 
to defeat all forms of tracking/fingerprinting with the fake domain 
concept and hide your destination even with https.

Since it takes control over the whole web page, the js interactions are 
sandboxed with a script to "tame" the page, a prototype was working but 
maybe it's a bit too complicate...

Regards


Le 29/07/2014 02:10, Joe Btfsplk a écrit :
> On 7/28/2014 3:34 PM, Craw wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Thank you for your answer!
>>
>> I've just thought a bit about various methods to prevent
>> fingerprinting browser profile (incl. UA/screen resolution/time
>> zone/fonts/etc.), and here is two ways I've found:
>>
>> a) all tor-users have the same browser profile
>> b) all tor-users have random temporary browser profile
>>
>> In my opinion our current strategy to reduce among all tor-users
>> fingerprintable differences is correct. In such case the only that can
>>   an attacker do to determine one user from other is their Tor IP
>> address, but if you will often change between them it becomes
>> impossible for the attacker.
>> And for variant b), it's much easier to do. A lot of users connect to
>> web-sites from one exit-relay and have the same Tor IP address, but
>> different profiles. So even if you will randomly generate new profile
>> every minute, you have your unique profile so the attacker can easily
>> determine: this actions made by different users. In contrary, when
>> everybody has the same profile, it's much harder to do.
>>
>>
> This is all interesting, but I'm still concerned that the use / non 
> use / intermittent use of java script still stares TBB users in the face.
>
> And it seems like the family secret no one wants to discuss.
> As outlined in the TBB FAQ, there are distinct drawbacks - no matter 
> how js is approached.
> Whether it's always allowed, (almost) never allowed, or configured per 
> site - all 3 have distinct cons.
>
> One problem is, there's no "ruling" from Tor devs.  One reason for 
> that is disabling it breaks lots of sites.
>
> But unless the MUCH greater amount of fingerprinting data that's 
> available when JS * IS * enabled is not enough to be concerned about 
> (I can't imagine that), then it may not matter how well * some *other 
> data are concealed.
> Plus, unless you go to only a few sites that require no JS, you have 
> to turn it on - at least some.
> But, enabling JS allows sites to get FAR more info & allows trackers 
> to compare that fingerprint to other sites you visit (unless you 
> change the fingerprint between each site).
>
> And supposedly leaving JS off (if possible) distinguishes you from 
> other TBB users that leave NoScript at the default setting.
>

-- 
Peersm : http://www.peersm.com
torrent-live: https://github.com/Ayms/torrent-live
node-Tor : https://www.github.com/Ayms/node-Tor
GitHub : https://www.github.com/Ayms

More information about the tor-talk mailing list