[tor-talk] Spoofing a browser profile to prevent fingerprinting

Joe Btfsplk joebtfsplk at gmx.com
Tue Jul 29 18:29:22 UTC 2014

On 7/29/2014 12:16 AM, Ben Bailess wrote:
> There are some built-in protections in TBB that keep honored requests for
> known fingerprinting data to a minimum, so the TBB does not function like a
> normal browser in this instance.
> It most notably limits the high entropy factors -- responses for fonts and
> plugin microversions. And as long as you obey the nice Tor devs and don't
> install any additional plugins, then plugin microversions won't be
> unique/identifiable either. *So enabling JS really isn't quite as big* of a
> step out into the light as it would be in say Chromium or Firefox, which
> has no protections against HTML5 canvas fingerprinting (or anything by
> default) for instance.
[Emphasis Added].  Don't know about enabling JS not being "big."
This isn't a "feeling" topic or discussion (general statement, not aimed 
at anyone).
Either we use facts (as best understood) to make decisions on this, or 
we don't.

I'm no expert on fine details of this, but over a long time of checking 
TBB, Firefox, JonDo Fox, etc., on multiple test sites, it's always clear 
that far more info is available when JS is enabled.
The EFF says ~ 33 bits of identifying info (ii) are needed to accurately 
identify the same browser / machine at multiple sites.

Even if that's just a ball park figure, when I visit Panopticlick, 
BrowserSpy.dk & others (many times, many browser versions, spread out 
over a yr +) , the difference in bits ii when JS is enabled or disabled, 
goes from well below 33 bits (in mid 20's) to well over 40 bits.
It's the same in vanilla Fx.
In vanilla Fx & NoScript - JS disabled, test sites might show * 24  bits 
of ii *.  Nearly as good as TBB w/ JS disabled.  Well under EFF's 
threshold to accurately identify a browser / device.
Enable JS in vanilla Fx & it shoots to * > 43 bits ii * (again, 
essentially the same as TBB under same scenario).

That appears to mean that vanilla Fx & NoScript w/ JS disabled, is no 
more * identifiable * as "the same browser" than TBB w/ JS disabled.
So either EFF's (& others) estimation on what's needed to identify a 
browser is considerably off, or enabling JS is a * BIG * deal.

> So if allowing at least some JavaScipt is inevitable, then I think the Tor
> devs have the right idea -- assume that some use of JS is a foregone
> conclusion and protect the users from the additional exposure to
> fingerprinting in a way that makes them all look as similar as possible.
> If the user prefers to have more privacy / security by forsaking some
> anonymity by disabling JavaScript and thereby making him/herself
> identifiable as a smaller subset of overall Tor Browser users, that's
> his/her option.
Yes, in a smaller subset.  But, what good is being in a larger set of 
Tor users (that leave JS enabled), if doing so allows sites / trackers 
to clearly identify the same browser at multiple sites, or even end to 
end of Tor circuits, for advanced adversaries?
"Hiding" in a crowd, where you're still clearly identifiable doesn't 
make much sense.

Back to one main school of thought:  * an adversary needs X bits of 
identifying info * to accurately identify the same browser at multiple 
sites, or end to end in Tor circuits.
Do you want to be in a large crowd, where everyone reveals well over the 
required bits ii needed to accurately identify each one?
Or be in a smaller crowd, but users can't be individually identified - 
end to end, or site to site?

Unless this business of "necessary bits of identifying info to identify 
the same browser" is inaccurate & blown out of proportion.
That's where I have to rely on * real * experts.  Not on feelings or 
Either the results from repeated tests I've done, separated by many 
months, are meaningful or they're not.
Either ~ 33 bits of info (or anything close) will allow identifying a 
browser, or it won't.

>   But in that instance, said user should probably be using
> Tails to remedy those sorts of problems since Tails addresses even more
> fingerprinting issues.
If Tails, or any other means is needed to provide anonymity (while still 
being able to actually use the web), then those should be a part of Tor 
/ TBB.
Unless the only goal is to hide destinations from ones ISP, then 
providing only part of what's needed in TBB for reasonable anonymity is...
*"Here's a browser / network that'll hide your IPa.  BTW, if you use it 
w/ JS, you can be identified at each end of a circuit and at each website."*

More information about the tor-talk mailing list