browser footprint

7v5w7go9ub0o 7v5w7go9ub0o at gmail.com
Mon Jul 21 20:41:47 UTC 2008 

Karsten N. wrote:
> I have read a thread at the JonDos forum about browser footprints.
> 
> A browser is not only identified by the user-agent, it is possible to
> use the accepted language, the accepted content, accepted charsets...
> 
> To create a highly anonymous group, many user should use the same
> settings for HTTP header values.
> 
> You may check your browser at: https://www.jondos.de/de/anontest#
> 
> At the page you will see the recommended settings. A developer of
> JonDos wrote, they are in contact with the tor dev team about this.
> Is it true? I can not find anything about this at torproject.org.
> 
> In Firefox / Iceweasel you may set all recommendations at about:config
> 
>  intl.charset.default              utf-8
>  intl.accept_charsets              *
>  intl.accept_languages             en
>  network.http.accept.default       */*
> 
> add a new string value to the configuration:
> 
> general.useragent.override  Mozilla/5.0 Gecko/20070713 Firefox/2.0.0.0
> 
> and use some plugins like RefControl, CookieSafe, NoScript....
> 
> For Konqueror I think, it is only possible, to set the following
> values in $HOME/.kde/share/config/kio_httprc
> 
>   Language=en
>   SendUserAgent=true
>   UserAgent=Mozilla/5.0 Gecko/20070713 Firefox/2.0.0.0
>   SendReferrer=false
> 
> More options possible?
> 
> Are there recommendations by others?
> 
> Karsten N.
>



Thanks for posting this; I think it is an important topic.

1. ISTM that one should go out to some of the statistics sites and
determine what the most frequently occurring "prints" actually are.

For user agents, there are many statistic sites; e.g.:

http://www.thecounter.com/stats/
http://www.upsdell.com/BrowserNews/stat.htm

FWICT, the most frequently occuring general User Agent is one of these:

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1)

I'd then find out what the typical (American English) windows I.E.
browser puts out for charsets and encodings, and use that.

(I do not believe that content type  */* is used by many browsers; nor
does gzip,deflate appear for HTTP_ACCEPT_CODING)

2. I agree that TOR would be the logical place to incorporate an
optional sanitizing routine that makes all browsers look the same. It is
likely that some folks will complain that it'll break certain features -
fine, they don't have to use it. But for most of TOR browser useage, 
it'd work fine.

If doing this in TOR is not practical or too far off, TOR could at least
officially recommend the replacement signatures that most users could
apply using our own devices (e.g. tweaking polipo, using privoxy,
proximitron, etc.).

It seems to me that if we wanted to approach TOR on this:

a. the first step would be to determine what the browser headers should be.

b. the second step would be to code and test a patch for TOR that
replaces individual headers with the standard headers, and deletes
extraneous stuff.

c. Present the recommendations and code patch.


If you are in contact with JonDoe, you might ask them why they chose the 
signatures they did

HTH

(p.s. Suggest you retitle this topic to "browser fingerprints" or 
"browser signatures". "footprints" typically refer to the size and 
overhead of an application)

More information about the tor-talk mailing list