[tor-talk] Basic questions from new user but...
Joe Btfsplk
joebtfsplk at gmx.com
Fri May 11 14:37:52 UTC 2012
On 5/11/2012 7:21 AM, Maxim Kammerer wrote:
> On Fri, May 11, 2012 at 2:36 AM, Joe Btfsplk<joebtfsplk at gmx.com> wrote:
>> Isn't this approach very much a double edged sword? From the link:
>>> However, we recommend that even users who know how to use NoScript leave
>>> JavaScript enabled if possible, because a website or exit node can easily
>>> distinguish users who disable JavaScript from users who use Tor Browser
>>> bundle with its default settings (thus users who disable JavaScript are less
>>> anonymous).
>> It may be true that changing settings makes one's profile different, but
>> from all I've ever read, java script is responsible for more malicious
>> browser attacks than anything. That's not so good.
> Javascript atacks are, however, out of the scope for anonymity
> research. The anonymity set reduction above, while purely theoretical
> and of no practical significance, is in that scope. It's a typical
> case of project focus shifting priorities to user's disadvantage.
> Moreover, if many users turn Javascript off often, it is quite
> possible that turning it off offers more (theoretical) anonymity due
> to the possibility of fingerprinting users' browser versions by
> browsers' respective Javascript quirks.
I'm guessing a large # of above avg to advanced TBB users are turning
off js in No Script - at least some times. Problem is, Tor Project has
no way of knowing the #s, so no way to quantify (even theoretically) how
much it increases their browser uniqueness.
>
>> Can someone explain to non-Tor network experts in layman's terms (25 words
>> or< ) :D, what exactly some one / entity HAS to be able to do in order to
>> profile that Joe has java script disabled,& then be able to tie it to MY
>> (dynamic) IP address - at * that * moment (an address that could change
>> anytime), or to me physically, sitting here at 123 Oak St., Bumfk, ND?
> It is not possible — anonymity set reduction only shifts your
> anonymity towards pseudonymity. I would guess that most browser users
> do not need true anonymity, however, and are fine with pseudonymity.
>
>> Then, what are the REAL world odds that out of all the exit nodes traffic,
>> which are constantly changing users, that someone can monitor enough nodes
>> AND be able to tie it directly to ONE specific person, w/ a real name&
>> physical address? Are we talking that any 12 yr old w/ the right, free
>> software can do this, or "theoretically"?
> Theoretically.
I don't know if your answers are totally / partly / not correct, but
they are similar to my limited understanding & gut feeling. PERHAPS if
the adversary is a hostile nation w/ complete monitoring of entire
internet traffic, ability to search ALL ISP's records / logs AND
resources & inclination to track down one user that has js turned off,
because he accessed a "forbidden" web site, the previously posed
scenarios might be a threat. I don't know & certainly don't know how
hard it would be, even for a nation, devoting those kinds of resources &
time. I'm NOT saying it's next to impossible - I'm asking.
Due to the ever increasing electronic internet monitoring activities of
LEOs in the U.S., I'm sure most would be surprised at their capabilities.
If * * * making changes to TBB settings, addons, etc, poses a REAL risk,
it might be a good idea for Tor devs to put a warning in big, red
letters on the browser start page & on the Tor Project TBB main & d/l
pages. Perhaps links to, in laymans' terms how making any changes from
default TBB settings, what so ever, could lead authorities to your
door. I'm sincere - if it's that much of a risk, the current info /
docs aren't nearly prominent or clear enough. If it's not that much of
a REAL risk, that should be explained also - how / when it MIGHT become
a real risk.
>
More information about the tor-talk
mailing list