[tor-talk] Hiding stuff

proper torbox at riseup.net
Fri Jul 13 18:15:19 UTC 2012


antispam06 at sent.at:
> On Fri, Jul 13, 2012, at 15:02, proper wrote:
>> antispam06 at sent.at:
>>> I remember reading about installing more extensions as a bad
>>> thing as it might identify a Tor configuration from another. But
>>> can't this be hidden?
>>
>> Maybe. Would require development which no one wants to take.
> 
> In the sense that each extension should be combed for functions that
> interact with the non–local or that no developer has a wish to inhibit
> extensions from chatting with the exterior?

Yes, but its even more. Also some addons are hard to make them work.
Adblock for example changes your fingerprint because you download a part
from a website but other parts not, the server can recognize that.

>>> Also, is there a way to tweak the regular Firefox output so that
>>> it looks like a Tor browser without being on Tor?
>>
>> You can remove all proxy settings in Tor Button and connect directly.
>> You will get the Tor Browser fingerprint without using the Tor network.
> 
> That's a wonderful idea!

Sadly, if you do this as the only person, you stand out even more as
with regular Firefox. If you hide everything, you are in the group of
"people who hide everything" and if there are only a very few people in
this group it's very easy to identity.

BUT, if many people were to use Tor-Browser-without-Tor and if you are
on dynamic IP, that would even grant some privacy. And even some
"anonymity" * within your IP range within the set of
Tor-Browser-without-Tor users.

* For server's perspective: some anonymity.
* From providers / hackers / law enforcement perspective: As soon as IP
logs get deleted you also have some anonymity.

It would require a debate here, interested people and a campaign to get
lots of users for it.

>>> To a smart
>>> tracker it would be obvious as it doesn't come from a Tor exit
>>> relay. Can I set up the given output resolution for example?
>>
>> Must be somewhere in Tor Button source code.
>>
>> What you want to archive is very difficult. The list of Tor exists is
>> public.
> 
> Yes. I know the list is public. So that would give away the trick. But
> for sites not smart enough would mean hiding identifying data. The
> screen resolution and time zone data are the most revealing once flash
> and java are disabled. As I have a quite rare screen resolution that
> would be the main issue.

See Tor Browser and Tor Button design docs, Tor Browser / Button trac
tickets, related discussion etc. There is much more which will be used
for tracking.

>> You could chain another proxy (or SSH, or VPN) behind Tor, i.e. Tor ->
>> proxy. The proxy must be private, not in some public proxy list. On the
>> other hand that's not recommend, since it adds a permanent observer.
> 
> No. Just have a regular connection, but make the browser shut up.

I see.

>> And tweak Tor Browser until it looks like you want or tweak Firefox
>> until it adds the security features and looks you like.
> 
> I would tweak the regular Firefox, but I have no idea how to stop it
> from revealing CPU and system data. Browser ID is just the tip of the
> iceberg.

For your question it might be the easier to modify Tor Browser.


More information about the tor-talk mailing list