[tor-talk] Basic questions from new user but...

Sat May 12 16:37:35 UTC 2012

On 5/11/2012 7:21 AM, Maxim Kammerer wrote:
> On Fri, May 11, 2012 at 2:36 AM, Joe Btfsplk<joebtfsplk at gmx.com>  wrote:
>> Isn't this approach very much a double edged sword?  From the link:
>>> However, we recommend that even users who know how to use NoScript leave
>>> JavaScript enabled if possible, because a website or exit node can easily
>>> distinguish users who disable JavaScript from users who use Tor Browser
>>> bundle with its default settings (thus users who disable JavaScript are less
>>> anonymous).
>> It may be true that changing settings makes one's profile different, but
>> from all I've ever read, java script is responsible for more malicious
>> browser attacks than anything.  That's not so good.
> Javascript atacks are, however, out of the scope for anonymity
> research. The anonymity set reduction above, while purely theoretical
> and of no practical significance, is in that scope. It's a typical
> case of project focus shifting priorities to user's disadvantage.
> Moreover, if many users turn Javascript off often, it is quite
> possible that turning it off offers more (theoretical) anonymity due
> to the possibility of fingerprinting users' browser versions by
> browsers' respective Javascript quirks.
>
>> Can someone explain to non-Tor network experts in layman's terms (25 words
>> or<  ) :D, what exactly some one / entity HAS to be able to do in order to
>> profile that Joe has java script disabled,&  then be able to tie it to MY
>> (dynamic) IP address - at * that * moment (an address that could change
>> anytime), or to me physically, sitting here at 123 Oak St., Bumfk, ND?
> It is not possible — anonymity set reduction only shifts your
> anonymity towards pseudonymity. I would guess that most browser users
> do not need true anonymity, however, and are fine with pseudonymity.
>
>> Then, what are the REAL world odds that out of all the exit nodes traffic,
>> which are constantly changing users, that someone can monitor enough nodes
>> AND be able to tie it directly to ONE specific person, w/ a real name&
>> physical address?  Are we talking that any 12 yr old w/ the right, free
>> software can do this, or "theoretically"?
> Theoretically.
Thanks Maxim.  You may be 100% correct.  No disrespect, but these 
questions - esp. one about changing TBB setting(s) like js or using an 
addon not included in the package (assuming an addon doesn't "leak") 
seem like PRETTY important questions.

I think one of the devs w/ expertise in that area of Tor should answer 
the * real world explanation & chances * how those actions would 
realistically allow someone / entity to positively identify a PERSON, or 
lead them to that person's door, so users can understand.  Explanation 
should also probably be in FAQs.

I don't know your background or if you're associated w/ Tor Project in 
any way - I mean no disrespect.