<font color='black' size='2' face='arial'><br>
<font color="black" face="arial" size="2">
<div> <br>
</div>
<div> <br>
</div>
<div style="clear: both;"></div>
<div> <br>
</div>
<div> <br>
</div>
<div style="font-family: arial,helvetica; font-size: 10pt; color: black;">-----Original Message-----<br>
From: Kraktus <kraktus@googlemail.com><br>
To: tor-talk@lists.torproject.org<br>
Sent: Mon, Apr 25, 2011 8:26 pm<br>
Subject: Re: [tor-talk] Users profiling through personŠ°l banners filtering settings<br>
<br>
<div id="AOLMsgPart_0_36cd98e1-0acf-4f18-91ff-70f1d7b6b36c" style="margin: 0px; font-family: Tahoma,Verdana,Arial,Sans-Serif; font-size: 12px; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<pre style="font-size: 9pt;"><tt>Well, you could make this argument for any blocking activity: cookies,<br>
<br>
javascript, plugins, ad-blocking, etc. If one user is blocking a bunch<br>
<br>
of things, then they stand out because they are blocking things, and<br>
<br>
most people aren't. You might even be able to do extensive tests to<br>
<br>
find out what sorts of things they are blocking and find some sort of<br>
<br>
pattern.<br>
<br>
<br>
<br>
Take cookies for example. Imagine these scenarios:<br>
<br>
1. User blocks all cookies.<br>
<br>
2. User blocks all cookies except cookies from whitelisted sites.<br>
<br>
3. User accepts all cookies except cookies from blacklisted sites.<br>
<br>
4. User accepts all cookies.<br>
<br>
<br>
<br>
Now, as I understand it, your argument is that any deviation from 4,<br>
<br>
but especially selective whitelisting/blacklisting as described in 2<br>
<br>
and 3, is a variation from the norm and hence makes a user stand out.<br>
<br>
(I believe, it would actually either require multiple sites to<br>
<br>
collaborate to perform such an attack, or else, as you suggested, the<br>
<br>
exit node itself might perform the attack.)<br>
<br>
<br>
<br>
Now, while there are some cookies that do not contain anything unique,<br>
<br>
most cookies are used to store unique IDs. So if you accept a cookie<br>
<br>
from a site, they are probably going to give you a unique pseudonym<br>
<br>
they can use to track you with. On the other hand, if you refuse to<br>
<br>
accept cookies from that site, then you are part of the anonymity<br>
<br>
group of Tor users who do not accept cookies from that site. Yes, they<br>
<br>
could use other techniques to narrow things down, but at least you<br>
<br>
haven't let them give you a unique session ID. So, I think the closer<br>
<br>
you can get to 1, without sacrificing too much usability, the better.<br>
<br>
The more Tor users can be persuaded to do 2, the better. The more Tor<br>
<br>
users could at least be persuaded, if not to do that, then to at least<br>
<br>
have a blacklist of advertising domains (3), the better. Then you will<br>
<br>
stand out less when you refuse to accept a cookie. (In Firefox, you<br>
<br>
can use the Cookie Monster plugin to help with this.)<br>
<br>
<br>
<br>
Javascript is even worse. Javascript often has security<br>
<br>
vulnerabilities, so an attacker might exploit a buffer overflow or<br>
<br>
something, and use that to reveal your identity. Even if the<br>
<br>
Javascript is not exploited, it can still reveal a lot of information<br>
<br>
about you. For an idea of what I am talking about, take a look at this<br>
<br>
site and allow Javascript.<br>
<br>
<a href="http://ip-check.info/?lang=en" target="_blank">http://ip-check.info/?lang=en</a><br>
<br>
(That will also show you why you shouldn't allow plugins such as Java<br>
<br>
or Flash when using Tor unless you have a fancy setup to force them<br>
<br>
through Tor, or simply don't care about your anonymity that much, and<br>
<br>
even then, they can still reveal a lot.)<br>
<br>
<br>
<br>
Now, even normal, non-exploiting Javascript still reveals much more<br>
<br>
specific information about my computer than simply "This user does not<br>
<br>
permit Javascript from your website". So again, the more Javascript<br>
<br>
you block, the better. The more Tor users can be persuaded to only<br>
<br>
allow Javascript from specific websites (where the usability concerns<br>
<br>
outweigh the anonymity concerns). the better. The more Tor users can<br>
<br>
be persuaded, if not to do that, then at least to specify websites<br>
<br>
they don't want to allow Javascript from, the better. In Firefox,<br>
<br>
NoScript can help with this.<br>
<br>
Here's a good noscript.untrusted, if you prefer the blacklist method<br>
<br>
or just want to minimize the chance of accidentally allowing<br>
<br>
javascript from an advertising/tracking domain:<br>
<br>
ad.linkstorms.com adbrite.com adbureau.net addthis.com addynamix.com<br>
<br>
adgardener.com ads.alphatrade.com ads.forbes.com ads.pointroll.com<br>
<br>
ads.reason.com ads.space.com ads1.msn.com adsonar.com adtech.de<br>
<br>
adtology3.com advertising.com adzones.com afy11.net blogads.com<br>
<br>
doubleclick.com doubleclick.net facebook.net falkag.net getclicky.com<br>
<br>
google-analytics.com googleadservices.com googlesyndication.com<br>
<br>
hitbox.com quantserve.com scorecardresearch.com serving-sys.com<br>
<br>
specificclick.net statcounter.com tacoda.net zedo.com<br>
<br>
<a href="http://adbrite.com" target="_blank">http://adbrite.com</a> <a href="http://adbureau.net" target="_blank">http://adbureau.net</a> <a href="http://addthis.com" target="_blank">http://addthis.com</a><br>
<br>
<a href="http://addynamix.com" target="_blank">http://addynamix.com</a> <a href="http://adgardener.com" target="_blank">http://adgardener.com</a> <a href="http://adsonar.com" target="_blank">http://adsonar.com</a><br>
<br>
<a href="http://adtech.de" target="_blank">http://adtech.de</a> <a href="http://adtology3.com" target="_blank">http://adtology3.com</a> <a href="http://advertising.com" target="_blank">http://advertising.com</a><br>
<br>
<a href="http://adzones.com" target="_blank">http://adzones.com</a> <a href="http://afy11.net" target="_blank">http://afy11.net</a> <a href="http://blogads.com" target="_blank">http://blogads.com</a><br>
<br>
<a href="http://doubleclick.net" target="_blank">http://doubleclick.net</a> <a href="http://facebook.net" target="_blank">http://facebook.net</a> <a href="http://getclicky.com" target="_blank">http://getclicky.com</a><br>
<br>
<a href="http://google-analytics.com" target="_blank">http://google-analytics.com</a> <a href="http://googleadservices.com" target="_blank">http://googleadservices.com</a><br>
<br>
<a href="http://googlesyndication.com" target="_blank">http://googlesyndication.com</a> <a href="http://hitbox.com" target="_blank">http://hitbox.com</a> <a href="http://quantserve.com" target="_blank">http://quantserve.com</a><br>
<br>
<a href="http://scorecardresearch.com" target="_blank">http://scorecardresearch.com</a> <a href="http://serving-sys.com" target="_blank">http://serving-sys.com</a><br>
<br>
<a href="http://specificclick.net" target="_blank">http://specificclick.net</a> <a href="http://statcounter.com" target="_blank">http://statcounter.com</a> <a href="http://tacoda.net" target="_blank">http://tacoda.net</a><br>
<br>
<a href="http://zedo.com" target="_blank">http://zedo.com</a> <a href="https://adbrite.com" target="_blank">https://adbrite.com</a> <a href="https://adbureau.net" target="_blank">https://adbureau.net</a><br>
<br>
<a href="https://addthis.com" target="_blank">https://addthis.com</a> <a href="https://addynamix.com" target="_blank">https://addynamix.com</a> <a href="https://adgardener.com" target="_blank">https://adgardener.com</a><br>
<br>
<a href="https://adsonar.com" target="_blank">https://adsonar.com</a> <a href="https://adtech.de" target="_blank">https://adtech.de</a> <a href="https://adtology3.com" target="_blank">https://adtology3.com</a><br>
<br>
<a href="https://advertising.com" target="_blank">https://advertising.com</a> <a href="https://adzones.com" target="_blank">https://adzones.com</a> <a href="https://afy11.net" target="_blank">https://afy11.net</a><br>
<br>
<a href="https://blogads.com" target="_blank">https://blogads.com</a> <a href="https://doubleclick.net" target="_blank">https://doubleclick.net</a> <a href="https://facebook.net" target="_blank">https://facebook.net</a><br>
<br>
<a href="https://getclicky.com" target="_blank">https://getclicky.com</a> <a href="https://google-analytics.com" target="_blank">https://google-analytics.com</a><br>
<br>
<a href="https://googleadservices.com" target="_blank">https://googleadservices.com</a> <a href="https://googlesyndication.com" target="_blank">https://googlesyndication.com</a><br>
<br>
<a href="https://hitbox.com" target="_blank">https://hitbox.com</a> <a href="https://quantserve.com" target="_blank">https://quantserve.com</a><br>
<br>
<a href="https://scorecardresearch.com" target="_blank">https://scorecardresearch.com</a> <a href="https://serving-sys.com" target="_blank">https://serving-sys.com</a><br>
<br>
<a href="https://specificclick.net" target="_blank">https://specificclick.net</a> <a href="https://statcounter.com" target="_blank">https://statcounter.com</a> <a href="https://tacoda.net" target="_blank">https://tacoda.net</a><br>
<br>
<a href="https://zedo.com" target="_blank">https://zedo.com</a><br>
<br>
<br>
<br>
I feel the same way about adblocking. The fewer web logs I show up in,<br>
<br>
the better. I don't see any reason why I should show up in the log of<br>
<br>
website that is pretty much exclusively advertising. When I visit a<br>
<br>
website, I only want to show up in the log for that website, not a<br>
<br>
bunch of third party websites. Unfortunately, some websites don't work<br>
<br>
without third-party content, so I guess unless I don't care about<br>
<br>
usability, I have to make some compromises. Still, I have found<br>
<br>
adblockplus very useful for blocking third party content without much<br>
<br>
of a usability hit. EasyList and EasyPrivacy are very helpful. The<br>
<br>
localizations are good if you visit a lot of non-English websites.<br>
<br>
Antisocial is good for stopping tracking by social networking<br>
<br>
websites. Malware Domains is probably a good idea for Windows users<br>
<br>
who don't like to use anti-virus, or who only like to use it<br>
<br>
on-demand. (That is, none of that active protection stuff.) Certain<br>
<br>
other lists are good if you are visiting certain types of websites.<br>
<br>
You know, there have been cases of people getting viruses from<br>
<br>
reputable websites when an infected advertisment somehow made it in to<br>
<br>
whatever advertiser they were using.<br>
<br>
<br>
<br>
In short, I think the privacy benefits of blocking unwanted<br>
<br>
cookies/javascript/third party content is far greater than the risk of<br>
<br>
being profiled based on your pattern of blocking stuff, and if you are<br>
<br>
concerned about being profiled based on your pattern of blocking<br>
<br>
stuff, then the solution is to get more Tor users to block more of<br>
<br>
that sort of thing.<br>
<br>
<br>
<br>
On 10/04/2011, unknown <<a href="mailto:unknown@pgpru.com">unknown@pgpru.com</a>> wrote:<br>
<br>
> On Tue, 22 Mar 2011 18:26:34 +0000<br>
<br>
> unknown <<a href="mailto:unknown@pgpru.com">unknown@pgpru.com</a>> wrote:<br>
<br>
><br>
<br>
>> Too many users dislikes of annoying web elements -- banners, popups,<br>
<br>
>> scripts,<br>
<br>
>> strange frames. They use a tools to blocks that elements or change webpage<br>
<br>
>> rendering.<br>
<br>
>><br>
<br>
>> Traditional programs for filtering is a local proxys -- privoxy or polipo<br>
<br>
>> are examples with<br>
<br>
>> close relation to Tor and used actively. This programs cannot filtering<br>
<br>
>> SSL-content and evil site<br>
<br>
>> can use mix of SSL-ed and non-SSL-ed banners, pop-ups, etc to determine a<br>
<br>
>> fact<br>
<br>
>> of using such proxy and trying to guess personal users filtering settings.<br>
<br>
>><br>
<br>
>> The problem may be even worse, with or without using this proxy, even if<br>
<br>
>> users block<br>
<br>
>> contents within a browser itself (with Firefox plugins to block banners,<br>
<br>
>> and scripts). Not<br>
<br>
>> only sites, but "mans in the middles", adversarial clusters of evil exit<br>
<br>
>> nodes<br>
<br>
>> can does parsing traffic and modifying web contents by injecting banners,<br>
<br>
>> misconfigured<br>
<br>
>> cookies, incorrect frames.<br>
<br>
>><br>
<br>
>> Injected traffic for various sites, in different times<br>
<br>
>> and seances can be the way of revealing users with personal blocking<br>
<br>
>> rules. Data<br>
<br>
>> about blocking profiles of that users may be statistical processed and<br>
<br>
>> correlated.<br>
<br>
>><br>
<br>
>> Is it a real threat? Should Tor users stop blocking contents<br>
<br>
>> selectively? Or they can use predefined and shared rules in analogy of<br>
<br>
>> Torbutton?<br>
<br>
><br>
<br>
> Let me describe a two examples about users blocks banners in<br>
<br>
> privoxy/polipo/adblock/etc:<br>
<br>
><br>
<br>
> 1. Webhost can see that user block russian/german/chinese/etc big portal<br>
<br>
> banners. Webservers owner can make a conjecture about specific language of<br>
<br>
> the user.<br>
<br>
><br>
<br>
> 2. One exit or colluding exit nodes can compare banners blocking profiles<br>
<br>
> from time to time. Profiles can be linked from different seances.<br>
<br>
><br>
<br>
> Any comments?<br>
<br>
</tt>Why<font color="black" face="arial" size="2"> does Tor Browser bundle <br>
come with Java Script enabled?</font><br>
<tt>
><br>
><br>
><br>
> _______________________________________________<br>
> tor-talk mailing list<br>
> <a href="mailto:tor-talk@lists.torproject.org">tor-talk@lists.torproject.org</a><br>
> <a href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk" target="_blank">https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk</a><br>
><br>
_______________________________________________<br>
tor-talk mailing list<br>
<a href="mailto:tor-talk@lists.torproject.org">tor-talk@lists.torproject.org</a><br>
<a href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk" target="_blank">https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk</a><br>
</tt></pre>
</div>
<!-- end of AOLMsgPart_0_36cd98e1-0acf-4f18-91ff-70f1d7b6b36c -->
</div>
</font></font>