Threats to anonymity set at and above the application layer; HTTP headers

Ringo Kamens 2600denver at gmail.com
Sun May 21 14:08:07 UTC 2006 

Why wouldn't a judge/jury go for that. Let's make this a more real-life
example. Somebody is murdered and a witness says they saw the suspect in a
green car. If the suspect doesn't have a green car, it certainly helps his
case. I see this as no different than any albi. It couldn't have been me
because I'm not on linux.

On 5/21/06, Fabian Keil <freebsd-listen at fabiankeil.de> wrote:
>
> "Ringo Kamens" <2600denver at gmail.com> top posted:
>
> > On 5/20/06, Fabian Keil <freebsd-listen at fabiankeil.de> wrote:
> > > Kai Raven <kairaven at arcor.de> wrote:
> > >
> > > > On 20.05.2006/09:13, you wrote:
> > > >
> > > > > I think a low-hanging target is the uniqueness of HTTP headers
> sent
> > > > > by particular users of HTTP and HTTPS over Tor.  Accept-Language,
> > > > > User-Agent, and a few browser-specific features are likely to
> reveal
> > > > >  locale and OS and browser version -- sometimes relatively
> uniquely,
> > > > >  as when someone uses a Linux distribution that ships with a
> highly
> > > > > specific build of Firefox -- and this combination may serve to
> make
> > > > > people linkable or distinguishable in particular contexts.
> > > >
> > > > For this reasons i have changed the Accept-Language and User-Agent
> > > > header, but only for the locale.
> > >
> > > I use a generated Firefox User-Agent string which is rebuild
> > > every few minutes by <http://www.fabiankeil.de/sourcecode/uagen.pl>.
> > >
> > > While I don't blend in with the Windows using crowd, the User-Agent
> > > is different for each website visit and therefore can't be used to
> > > track my visits.
> > >
> > > The website owner might notice that I don't surf
> > > with a windows box, that I use Tor and probably Privoxy,
> > > block cookies and don't execute his code, but I can live
> > > with that and it's not enough information for a unique
> > > fingerprint.
>
> > I have a few points to add. For one, if you choose a user-agent that
> > is a linux build every time you start firefox (as opposed to having it
> > default) then that could be used as court evidence to say:
> > Well, I couldn't be xxx because he used a linux browser and I'm
> > obviously on windows and my user-agent field isn't spoofed.
>
> I seriously doubt that any judge will fall for that one.
>
> > As far as referrers goes, you can either use referrer blocking or
> > spoofing (Always make the referrer the root of the site) and blend in
> > with the crowd well.
>
> Blocking all referrers or to rewrite them all to
> the root web site is the easiest way _not_ to blend in
> with the crowd. The referrer will be invalid most
> of the time!
>
> It's also not necessary: if you haven't changed
> the host, your referrer doesn't give away any information
> the web site owner couldn't gain by checking the server log.
>
> It is sufficient to only block the referrer if the host has
> changed. Not only that, it is also harder to detect, a web site
> change looks as if the user followed a bookmark or typed/pasted
> in the address herself; the following requests are all valid.
>
> Conditional blocking can only be detected if the web site is spread
> over several hosts, but that's the only case where it isn't superior
> to root site faking or generic blocking (which both would be detected
> as well).
>
> Fabian
> --
> http://www.fabiankeil.de/
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20060521/7763530a/attachment.htm>

More information about the tor-talk mailing list