[tor-talk] Fingerprinting Re: Tor Weekly News — October 23th, 2013

krishna e bera keb at cyblings.on.ca
Thu Oct 24 21:10:43 UTC 2013

On 13-10-24 02:21 PM, author at anonymousbitcoinbook.com wrote:
> By changing the browser fingerprint, do you mean altering the HTTP
> request headers, such as the User-agent? You'd need to decrypt SSL/TLS
> traffic in order to modify the headers of any request sent over SSL/TLS,
> so that limits you to plaintext HTTP traffic.

TBB alters and/or generates request headers that enlarge the anonymity
set, which means try to make all Tor users look alike.  There is no
decryption done enroute, the HTTP stuff is all done at the source
(before entering the Tor network) in the browser above the TCP layer.
See the docs on TorButton for details:

There is also resistance to remote device fingerprinting that takes
place at a lower level:

> You COULD alter HTTP request headers at each hop, but let me raise a
> potential objection: A considerable number of websites return different
> HTTP responses based on the contents of HTTP request headers, so you'd
> be potentially mucking up the deterministic output of web applications.
> A common example is returning a different version of a website when the
> User-Agent indicates a mobile device. One obvious part of the browser
> fingerprint is unique cookie values, such as those set by third-party ad
> domains. Cookies would be one of the trickiest to modify, because they
> are integral to the function of the vast majority of websites, and it
> would be difficult when to mutate a cookie value without negatively
> impacting the function of the web application.

I couldnt find a quick answer on Orbot's website or the Guardian Project
as to whether they try to look like desktop TBB, or perhaps more likely
try to put all mobile Tor users in the same anonymity set.

More information about the tor-talk mailing list