[tor-qa] Panopticlick

Mike Perry mikeperry at torproject.org
Mon Jun 11 07:12:56 UTC 2012

Thus spake Katya Titov (kattitov at yandex.com):

> > Actually, I think a useragent-based filter could go a long way to
> > making the existing panopticlick data more useful:
> > https://trac.torproject.org/projects/tor/ticket/6119#comment:1
> Certainly would. I like the idea of TBB defaulting to whatever is the
> most common user agent, but also allowing users to choose from a list
> of other common user agent strings. Assuming you've got access to the
> Panopticlick database then I imagine that the common strings could be
> pulled out automatically at build time and populated within TBB.

From a purely information-theoretic sense, individual choice is
extremely bad for anonymity (more choices -> more entropy -> more
identifying bits).  Sorry all you DIY anarcho cypherpunks. You either
need to make your voices heard so we can hit consensus on this, or
surrender to the Identified Internet. Them's the breaks.

From a practical perspective, there is no hiding the fact that you're a
Tor Browser user. Even if you could hide the fact that you're a Tor user
by some dark magic, any solutions we take to solve these problems will
automatically make you stand out from "normal" anyhow.

Here's a real world analogy: Right now, browser privacy can give you a
mask. You won't look a damn thing like normal, but if we can get these
damn masks to look enough like each other, and enough people use the
masks, that's better than status quo.

So the only remaining choice we have is to make every one of our user's
mask try to look the same. This also means that as we iterate, previous
masks won't look like the newer, more uniform masks. In an ideal world,
this means everyone needs to upgrade at once, and be re-measured somehow
to verify the improvement. We've obviously got a few more steps to get
to that point.

Later, when technology advances, we can think about making
shape-shifting masks that look like the other mask of your choice. But
holy face dancers, batman, that will be tricky.

So yeah, we need useragent-specific Panopticlick results, as well as the
ability to add our own tests to Panopticlick. Perhaps if we get EFF to
publish the Panopticlick source, this will happen organically? Maybe it
already is published, and I missed it. I've Bcc'd Peter on most of these
emails, just in case. Peter, you probably can't reply to this list
directly without someone approving your mails.

Mike Perry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-qa/attachments/20120611/f26b872a/attachment.pgp>

More information about the tor-qa mailing list