Proposal: Tor User Agent Carousel (TUAC)

Sebastian Hahn hahn.seb at
Fri Apr 4 10:38:53 UTC 2008

On Apr 4, 2008, at 12:10 PM, lxixnxenoise at wrote:
> hi, thank you for your reply, my comments follow below:
>> On Apr 4, 2008, at 11:16 AM, lxixnxenoise at wrote:
>>> Hi, thank you for the reply!
>>> "Also, when the user agent changes on a website that you logged
>>> onto, they
>>> are going to link the two"
>>> This is a good point, if the rotation occurs during the period of
>>> login,
>>> but one may choose a longer period between rotations, this still not
>>> solving anything though if the user is logged in somewhere. If the
>>> user is
>>> logging in somewhere, though, are the maintaining a static identity?
>>> If
>>> so, why? Would this not be a defeat in and of itself over a long
>>> period of
>>> time, regardless of UA?
>>> Aside from this, would they not link more from the browser than UA?
>>> So we
>>> have two groups if we look at this simply, as a lot of tor users
>>> seem to
>>> like using the popular Windows UA:
>>> Group 1: The real Windows users with the UA, most plugins enabled by
>>> default, flash, javascript, etc.
>>> Group 2: The tor users with the common Windows UA, most or all  
>>> plugins
>>> disabled
>>> So group one is Charlie Brown in the standard t-shirt which never
>>> changes,
>>> and group two is Charlie Brown in the same t-shirt but with a
>>> football in
>>> his hands, the disabled plugins standing out.
>>> So in addition to the TUAC idea (which, despite my naming of it, you
>>> mentioned has already been suggested, which doesn't surprise me) I
>>> propose
>>> this:
>>> A way to safely spoof (without a negative result to either end) to  
>>> the
>>> websites that you have plugins enabled, java, javascript, Flash, and
>>> all
>>> of the rest, but somehow negating the incoming trasmission of said
>>> content
>>> by passing it into some type of virtual shredder, some type of /dev/
>>> null
>>> approach. In this way Charlie Brown would not be holding the
>>> football in
>>> being fingerprinted so easily.
>>> Thank you for your other useful comments, I have removed them from  
>>> my
>>> reply to save space since I have no comments to share on them.
>>> If this is offtopic since it does not directly have to do with tor
>>> as you
>>> have pointed out, I will take the suggestion to others instead.
>>> Thanks for
>>> your kind attention! :)
>> I don't have much to say to that, except that you stick out as a Tor
>> user because your request came through a tor server. The list of tor
>> servers is publicly accessible (which is necessary by design) and  
>> even
>> if you don't spoof anything you're still not the regular Charlie
>> Brown. You need to "blend in" with the other Tor users, as you cannot
>> blend in with anyone on the planet!
> Okay, though I would appreciate other people's comments then on my
> suggestions for safely spoofing an enabled set of plugins if this  
> could be
> done. Yes, one may easily stick out as a Tor user because of the  
> exit node
> IP, *if* they are connecting to the end point through the exit node.  
> Some
> tor users choose to go through additional hoops rather than expose the
> exit node IP, thus in this case they are NOT identified as a tor user.
> Whether or not the tor user hits the website with the exit node IP,  
> why
> should they further subject themselves to being labeled as a tor  
> user? Why
> would they want to blend into this small group of users? I would think
> they would want to further blend into the larger group of common  
> folk who
> most often have their plugins enabled. Because of this I believe some
> method should be implemented to safely spoof plugins being enabled  
> when
> they are disabled.
> Maybe you can't blend in with everyone, but I'd rather choose to  
> blend in
> with the commoners or others (that's the point of the common UA,  
> right?)
> than the rest of the tor users.

I don't want to spam the list, but I think it's remarkable how you  
still don't acknowledge that it doesn't help to tell websites you have  
plugins enabled... They will for example test for JS, and if it  
doesn't work, they already know something. Then they'll put an applet  
or Flash up - that doesn't connect back - wow, they figured out you're  
a Tor user.

also, this will hurt the general user experience - websites that  
detect you don't have JS enabled might direct you to a page that  
doesn't use it, while what you see else is totally useless. So I don't  
think this would become the default, which means again you don't only  
stick out because you're a Tor user, but also because you use a  
feature few others don't use.

But I will not respond until someone else has had the chance to reply  
and say what they think.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the tor-talk mailing list