[tor-talk] panopticlick data

Wed Oct 2 15:22:38 UTC 2013

On 10/2/2013 12:08 AM, Andreas Krey wrote:
> On Tue, 01 Oct 2013 13:43:10 +0000, Joe Btfsplk wrote:
> ...
>> I believe in same TBB version (maybe the same in many versions) they
>> spoof the useragent & time zone, but wouldn't differences in screen
>> sizes & color bit ALONE, among a few users on one entry / exit
>> combination, at a given moment be enough to fingerprint one user?
> Fingerprinting isn't about identifying the same session (there are
> cookies for that), but about recognizing you on your next visit when
> you come from a different IP/exit (or even the same)
I can't say if that is / isn't true.  If it is, goes back to my question 
/ pondering, if regularly changing some browser trait(s) (maybe w/ an 
extension, Tor Button) would make it much more difficult to conclusively 
say, "This is the same person / browser."

Seems unlikely that all TBB users having the exact same browser 
characteristics is going to happen.  It's good in theory, but may be 
unrealistic.  Perhaps approaching the issue from a more realistic 
standpoint is worth looking into?

Chaos is easier to achieve than perfection.  Wondering:  in practice, 
which would be easier to achieve and / or be more successful at 
preventing fingerprinting:

Trying to make all TBB users look identical or constantly changing 
(spoofing) some browser characteristics (ones that DON'T break 
functionality), so that every TBB browser is "constantly" changing it's 
profile?
Perhaps call it SSTBB - shape shifter TBB.  There may be drawbacks to 
*regularly* changing ANY characteristics used for fingerprinting.  Just 
a thought.  Definitely problems w/ the current method of trying to make 
everyone look identical.
> Screen/Window size spoofing is pointless as there are many ways of finding
> out the actual window size. And colors are pretty much always 24bit anyway.
>
Does the issue of other ways to  find the actual screen size value, 
apply to other browser traits as well (some / many)?  If so, possibly 
ONLY turning of java script would prevent much of that. Unfortunately, 
that breaks at least part of many sites.