That is definitely a good approach. But maybe there is research to be done here as well. Just a rough (and in part research) idea that I had in mind while asking you the question above: What about if we first started looking at different services offered in the web whether they can be deployed anonymously *at all* (or maybe more precisely (but not much): that can be deployed in a way that there is either no linkability at all or the linkability is not strong enough to endanger the user) (that would be worth some research, I guess)?
What technical properties of the web makes such services impossible to use?
The web is not the right object to reason about here. The more interesting question would be "What techical properties of a service makes it impossible to get used anonymously?" That remains to be researched. At the end, maybe there isn't any (though I doubt that).
Most of the ones I can think of are problematic because of "Layer 8" issues like users divilging too much information to specific services.
That may hold for most services, yes.
We would probably find some services where we had to say: "Well, there is no way to get them used anonymously due to their nature and the power of the companies and/or owners behind them." (Facebook comes here to my mind as a candidate and the Google universe as well due to the power Google has). Should we say we make the Tor anon mode compatible with these services nevertheless (due to usability issues) and abandon stronger anonymity measures? I would say no. Not at all. Rather we should be honest and say: "Dear User, surfing anonymously AND using Facebook does not work. You may use the Tor anon mode for that purpose though but there is a high probability that it breaks functionality."
How do we be "honest"? Filter their browsing?
No, not at all. That sentence in quotes was not meant literally (in the sense that we pop up a dialog and show that sentence to the user). The idea would be (as I wrote above) not to start a race to the bottom and adapt (i.e. weaken) the unlinkability features to get the anon mode working with thoses sites as well. That in turn could mean that these sites break (worst case) while being used in anon mode or are "just" more inconvenient to use then.
The idea of getting more users due to being not too strict here might be appealing but is not the right decision in the end. I think one has to realize that there are services in the web that are *designed* in a way that one EITHER may use them OR use anonymity services. Sure, the devil is in the details (e.g. there are probably a lot of services that may be usable anonymously but then are accompanied with a certain lack of usability. What about them? Should we decide against usability again or should we loosen our means to provide unlinkability here?) but that does not mean there is no way to find a good solution though.
At the end of the day, I don't believe we have to sacrifice much in terms of usability if we properly reason through the adversary capabilities.
I would be glad if that would be the case but I doubt that (having e.g. Facebook in mind).
In short (and still roughly): I would like to start thinking from having all means available to surf the web anonymously and then downgrade them piece-by-piece to reach a trade-off between anonymity and usability. Services that may not be used anonymously at all would not trigger such a painful downgrade ("painful" as one usually tries first to hack around existing problems encountering unbelievable design issues and bugs and has to concede finally that it is in the user's interest to exclude that feature (again)).
Downgrading privacy would be a UI nightmare that no one would understand how to use, but assuming we can solve that problem: if we can find a way to apply these downgrade options to specific urlbar domains, this might make sense. Otherwise you introduce too many global fingerprinting issues by providing different privacy options.
No, you got me wrong here. The downgrading occurs while designing the anon mode not while using it. There should be just one mode in order to avoid fingerprinting issues. It is merely meant as a design principle for the dev: starting with all we can get and then downgrading our defenses until we reach a good balance between usability and anon features.
What do you have in mind in terms of stricter controls?
Hmmm... Dunno what you mean here.
The need for science especially comes in on the fingerprinting arena. Some fingerprinting opportunities may not actually be appealing to adversaries. Some may even appear appealing in theory, but in practice would be noticeable to the user, too noisy, and/or too error-prone. Hence I called for more panopticlick-style studies, especially of Javascript features, in the blog post.
Yes, that is definitely a good idea though I tend to avoid them all even if currently no adversary is using them (especially if no usability issue is at stake). First: no one knows whether one did not miss an attacker using this kind of attack vector and second: Getting rid of attack vectors is a good thing per se.
But going back to your original point, I contend you're not getting rid of any attack vectors by eliminating window.name and referer transmission. The adversary still has plenty of other ways to transmit the same information to 3rd party elements..
Yes, that's true.
You're just preventing "accidental" information leakage at the cost of breaking functionality. The ad networks will adapt to this sort of change, and then you're right back where you started in terms of actual tracking, after years of punishing your users with broken sites..
This depends on how one designs the single features. But I got your point.
Georg