browser fingerprinting - panopticlick

7v5w7go9ub0o 7v5w7go9ub0o at gmail.com
Sun Jan 31 17:38:07 UTC 2010 

Kyle Williams wrote:
> 7v5w7go9ub0o wrote:
>> Andrew Lewman wrote:
>> 
>>> On 01/29/2010 08:20 PM, 7v5w7go9ub0o wrote:
>>> 
>>>> As we slowly transition to web 2.0, probably the next step is 
>>>> putting the TOR browser in a VM full of bogus, randomized 
>>>> userid/sysid/network information - carefully firewalled to 
>>>> allow TOR access only (TOR would be running somewhere outside 
>>>> the browser VM).
>>>> 
>>> Already working on that, https://www.torproject.org/torvm/ or 
>>> pick a live cd with tor integrated into it.
>>> 
>>> 
>> Good to see these projects being developed. IIUC, the TORVM is a 
>> tor client; so the TORVM is designed for easy installation, and 
>> perhaps to contain any exploit of TOR!?
>> 
>> 
> This was one of the design points of Tor VM; to protect Tor by 
> running it inside a VM, so if your browser in the HOST OS goes bad on
>  you Tor would be protected inside the VM.
> 
>> Guess I was thinking of a different approach: putting Firefox in a 
>> VM and just letting it go ahead and get crazy with flash, JS, 
>> cookies (.. I have tired of tweaking NoScript, RequestPolicy, and 
>> CS Lite all the time.....).   TOR is running in a chroot jail on 
>> the "regular" OS, connected by network.
>> 
>> JS/Flash will presumably look for unique or geographic information
>>  within the VM and will get only bogus stuff which is cleaned and 
>> randomized every few minutes, along with cookies and caches. DNS is
>>  "unbound", elsewhere on the internal network, and has protection 
>> against many of the "DNS tricks". FWICT the obtainable network 
>> information all reflects the virtual Ethernet.
>> 
>> 
> You may want to take a look at another project I've had out for a few
>  months, but haven't really made much light of it. Chromium Browser 
> VM http://www.janusvm.com/chromium_vm/
> 
> The name says it all.  It's Chromium running inside a VM.  Unlike 
> traditional VMs, this VM attempts to make the browser feel like a 
> native application to the HOST OS even though it's running inside the
>  VM.  If you open a "Incognito" session with Chromium, it does a 
> pretty good job at protecting your privacy with regards to your 
> history and cookies, preventing the disclosure of what sites you've 
> visited on the Internet (tested against JS & CSS).  Check it out.
> 
> You can run it in different modes: - Exported browser display 
> (default) - Exported browser display with plugins disabled - Browser 
> in a local X server (inside the VM's window or as a boot CD.) - 
> Browser in a local X server with plugins disabled (inside the VM's 
> window or as a boot CD.) - All the above options + Tor
> 
> The ISO is also bootable from a CD-ROM, just burn it, boot it, and 
> choose a boot option with "Local X Server".  It uses the same drivers
>  turnkey linux (aka: Ubuntu 8.04). So it's over kill for driver 
> support from the VM stand point, but it's good as bootable CD for 
> lots of different hardware vendors.


Dang!   This makes a lot of sense! A fast, "throwaway" browser, quickly
(instantly?) reloaded in a virgin state - as opposed to the traditional
approach of a heavily-protected Firefox remaining in memory for a while.

As you know, on Linux one simply QEMU/KVMs the .iso on storage; dead easy.

I'd guess there is reluctance to try it, as many believe that Google is
satan and fear that there is home-phoning to the "cloud" going on with
Chromium. Of course, running it in a well-firewalled, standardized VM
may render that information meaningless, and any reporting outside of
TOR impossible.

[]

> Against the EFF's new fingerprinting tool, this browser VM masks most
>  of your real attributes, but fails when it comes your screen size. 
> Interestingly, the color depth was off and reported 24 when should be
>  32.  BTW, the performance benchmarks with this browser inside (or 
> outside) a VM smoke FF and IE hands down.  Kudos to Google. :)

Got a copy; gonna give it a try!

(FWIW, Have had good luck with a hardened-Gentoo FF QEMU/KVM VM, except
for graphics which suck. Once they/I figure out how to get GPU
pass-through, I'll do routine browsing - including flash/silverlight
streaming - in it. IIUC chromium does html5 video; will see if I can
get some html5 pass-through video streaming out of your .iso (though,
obviously, not through TOR.)



***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/

More information about the tor-talk mailing list