[tor-talk] Basic questions from new user but...

Fri May 11 14:37:52 UTC 2012


On 5/11/2012 7:21 AM, Maxim Kammerer wrote:
> On Fri, May 11, 2012 at 2:36 AM, Joe Btfsplk<joebtfsplk at gmx.com>  wrote:
>> Isn't this approach very much a double edged sword?  From the link:
>>> However, we recommend that even users who know how to use NoScript leave
>>> JavaScript enabled if possible, because a website or exit node can easily
>>> distinguish users who disable JavaScript from users who use Tor Browser
>>> bundle with its default settings (thus users who disable JavaScript are less
>>> anonymous).
>> It may be true that changing settings makes one's profile different, but
>> from all I've ever read, java script is responsible for more malicious
>> browser attacks than anything.  That's not so good.
> Javascript atacks are, however, out of the scope for anonymity
> research. The anonymity set reduction above, while purely theoretical
> and of no practical significance, is in that scope. It's a typical
> case of project focus shifting priorities to user's disadvantage.
> Moreover, if many users turn Javascript off often, it is quite
> possible that turning it off offers more (theoretical) anonymity due
> to the possibility of fingerprinting users' browser versions by
> browsers' respective Javascript quirks.
I'm guessing a large # of above avg to advanced TBB users are turning 
off js in No Script - at least some times.  Problem is, Tor Project has 
no way of knowing the #s, so no way to quantify (even theoretically) how 
much it increases their browser uniqueness.
>
>> Can someone explain to non-Tor network experts in layman's terms (25 words
>> or<  ) :D, what exactly some one / entity HAS to be able to do in order to
>> profile that Joe has java script disabled,&  then be able to tie it to MY
>> (dynamic) IP address - at * that * moment (an address that could change
>> anytime), or to me physically, sitting here at 123 Oak St., Bumfk, ND?
> It is not possible — anonymity set reduction only shifts your
> anonymity towards pseudonymity. I would guess that most browser users
> do not need true anonymity, however, and are fine with pseudonymity.
>
>> Then, what are the REAL world odds that out of all the exit nodes traffic,
>> which are constantly changing users, that someone can monitor enough nodes
>> AND be able to tie it directly to ONE specific person, w/ a real name&
>> physical address?  Are we talking that any 12 yr old w/ the right, free
>> software can do this, or "theoretically"?
> Theoretically.
I don't know if your answers are totally / partly / not correct, but 
they are similar to my limited understanding & gut feeling.  PERHAPS if 
the adversary is a hostile nation w/ complete monitoring of entire 
internet traffic, ability to search ALL ISP's records / logs AND 
resources & inclination to track down one user that has js turned off, 
because he accessed a "forbidden" web site, the previously posed 
scenarios might be a threat.  I don't know & certainly don't know how 
hard it would be, even for a nation, devoting those kinds of resources & 
time.  I'm NOT saying it's next to impossible - I'm asking.

Due to the ever increasing electronic internet monitoring activities of 
LEOs in the U.S., I'm sure most would be surprised at their capabilities.
If * * * making changes to TBB settings, addons, etc, poses a REAL risk, 
it might be a good idea for Tor devs to put a warning in big, red 
letters on the browser start page & on the Tor Project TBB main & d/l 
pages.  Perhaps links to, in laymans' terms how making any changes from 
default TBB settings, what so ever, could lead authorities to your 
door.  I'm sincere - if it's that much of a risk, the current info / 
docs aren't nearly prominent or clear enough.  If it's not that much of 
a REAL risk, that should be explained also - how / when it MIGHT become 
a real risk.
>