Torbutton : please offer better user agent choices
andrew at torproject.org
andrew at torproject.org
Sat Feb 13 03:20:35 UTC 2010
On Fri, Feb 12, 2010 at 05:27:21AM -0500, twinkletoedturtle at Safe-mail.net wrote 5.1K bytes in 106 lines about:
: This has already been discussed previously, I was moving on to ask if
: this feature could be added, not debated.
The simple answer right now is no. There is exactly one person working
on torbutton. There is also one GSoC-student who has a degree to finish
and hacks on torbutton in their spare time. Giving users the ability to
partition themselves at will isn't something we want to do.
: real reason behind not adding this functionality is the fear the
: user will stand out from other tor users (a statement I don't believe)
If you have research and results to the contrary, we'll seriously
consider it.
: "Then uncheck the option and set your own user agent."
:
: Where, in Torbutton, may I do this? I assume you're referring here
: to modifying the Proxy user agent string setting (which does not survive SSL)
: or blindly trusting another addon which may or may not have issues with
: Tor.
I'm referring to the ability in Torbutton preferences "Security
Settings, Headers tab" to uncheck "Set user agent for Tor usage
(crucial)". You can then set whatever you want via about:config or your
favorite extension.
: "If you want to partition yourself, by all means, do so."
:
: IMO, Torbutton usera partition themselves if they use one old, rarely updated
: user agent string. By using this oudated user agent string, they stand out
: as likely Tor users without checking whether or not they are using an exit node.
: I would argue users are being treated like cattle and branded with this old
: user agent on purpose so they do stand out that much further as Tor users.
We do not hide the fact that you are using a Tor exit node. It's trivial for
someone to correlate the IP address of the exit node with that of your
traffic. In fact, we make it very easy to do so with the exit list
service, http://exitlist.torproject.org/. Therefore, you should assume
the service already knows you are a tor user. If they want to learn
which of the 4 million tor users you are, they need to start looking for
individual parameters that make you unique. User agent is one of these
parameters.
I've recently had conversations with some activists in Europe who want
to run unpublished exit nodes (meaning they set PublishServerDescriptor
0 in their torrc). Of course, one risk is the only people using this
unlisted exit node are those in the social graph of the activists.
: I argue, if the Torbutton author's main concern was this, other so called
: dangerous options would not exist because the user could make the mistake
: and choose different options and thus risk privacy or security issues in
: his/her Tor session. I call upon the Torbutton author to consider adding
Mike has already responded to this once, but it's his choice if he wants
to respond again.
: I call for this feature to be added to Torbutton, I don't believe
: the "blending" statement is entirely true when the larger picture
: is examined.
Anonymity loves company, how big is your crowd? It's a fine research
question.
--
Andrew Lewman
The Tor Project
pgp 0x31B0974B
Website: https://torproject.org/
Blog: https://blog.torproject.org/
Identi.ca: torproject
***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
More information about the tor-talk
mailing list