[tor-talk] Spoofing a browser profile to prevent fingerprinting

Ben Bailess ben.bailess at gmail.com
Tue Jul 29 21:35:16 UTC 2014

I appreciate all the time and effort you put into your response and I agree
that we must use facts not feelings to discuss the issue at hand. As a
thought experiment: what is the *maximum* amount of personally identifiable
information that can be exfiltrated from a user's browser without
compromising his/her anonymity?

With regard to 33 bits of entropy being the critical mass of positive
identification, are the sources you're citing?
/ http://www.law.yale.edu/documents/pdf/ISP/Lee_Tien.pdf

Those studies appear to be talking about identifying individuals and less
re. browser fingerprints. Based on the (very) basic data below, my
fingerprint in FF with JS enabled was "unique" out of the >4M browser
samples thus far but "only" revealed 22 bits of entropy. This tells me that
33 bits of entropy is significantly more than what is necessary to
positively identify a user.

I am definitely not the person to make decisions here one way or the other,
I just wanted to give my opinion of the relative benefits of leaving
JavaScript enabled by default and the "blend in" theory promulgated by the
TP devs thus far. But here are some numbers that I just collected that
perhaps could be of use to you. This test was done with the latest TBB
(3.6.3) and Firefox versions on Linux (Fedora), with both JS on and off:

FF (private browsing) / JS disabled = 16 bits (not "unique" - one in 65,487)
FF (private browsing) / JS enabled = 22 bits ("unique" out of >4M samples)
FF (normal browsing) / JS disabled = 15.98 bits (not "unique" - one in
FF (normal browsing) / JS enabled = 21.07 bits (not "unique" but one in
2,193,824 [roughly 2 matching entries in the sample]... so the other data
point may well have been me...)
TBB / JS enabled = 12.06 bits (not "unique" - one in 4,260)
TBB / JS disabled = 9.05 bits (not "unique" - one in 529 are same)

TBB was fresh -- I literally verified the download, ran the 'start tor
browser' script, clicked "connect" and went directly to panopticlick.eff.org
to run the test with JavaScript on first (default TBB setting) and then
turned it off globally to run it again within a minute or two of each other.

The "unique" verbiage I added in parentheses above is in reference to the
blurb on the page about whether or not your fingerprint is "unique" among
their samples thus far of collected fingerprints. And of course this is
only Panopticlick, so take that into consideration.

You seem to be getting higher numbers overall, so perhaps there is
something materially dissimilar about our systems that is causing the gap.
I don't have Flash or Java installed at all, so perhaps that's limiting
things somewhat. I also have a handful of plugins.

In other words, I don't know what the *minimum* amount of identifying
information is sufficient to deanonymize a user, but I'd love to know and
see how TBB with and without JS respectively.

Thanks to all for everything you do.



On Tue, Jul 29, 2014 at 2:29 PM, Joe Btfsplk <joebtfsplk at gmx.com> wrote:

> On 7/29/2014 12:16 AM, Ben Bailess wrote:
>> There are some built-in protections in TBB that keep honored requests for
>> known fingerprinting data to a minimum, so the TBB does not function like
>> a
>> normal browser in this instance.
>> It most notably limits the high entropy factors -- responses for fonts and
>> plugin microversions. And as long as you obey the nice Tor devs and don't
>> install any additional plugins, then plugin microversions won't be
>> unique/identifiable either. *So enabling JS really isn't quite as big* of
>> a
>> step out into the light as it would be in say Chromium or Firefox, which
>> has no protections against HTML5 canvas fingerprinting (or anything by
>> default) for instance.
> [Emphasis Added].  Don't know about enabling JS not being "big."
> This isn't a "feeling" topic or discussion (general statement, not aimed
> at anyone).
> Either we use facts (as best understood) to make decisions on this, or we
> don't.
> I'm no expert on fine details of this, but over a long time of checking
> TBB, Firefox, JonDo Fox, etc., on multiple test sites, it's always clear
> that far more info is available when JS is enabled.
> The EFF says ~ 33 bits of identifying info (ii) are needed to accurately
> identify the same browser / machine at multiple sites.
> Even if that's just a ball park figure, when I visit Panopticlick,
> BrowserSpy.dk & others (many times, many browser versions, spread out over
> a yr +) , the difference in bits ii when JS is enabled or disabled, goes
> from well below 33 bits (in mid 20's) to well over 40 bits.
> It's the same in vanilla Fx.
> In vanilla Fx & NoScript - JS disabled, test sites might show * 24  bits
> of ii *.  Nearly as good as TBB w/ JS disabled.  Well under EFF's threshold
> to accurately identify a browser / device.
> Enable JS in vanilla Fx & it shoots to * > 43 bits ii * (again,
> essentially the same as TBB under same scenario).
> That appears to mean that vanilla Fx & NoScript w/ JS disabled, is no more
> * identifiable * as "the same browser" than TBB w/ JS disabled.
> So either EFF's (& others) estimation on what's needed to identify a
> browser is considerably off, or enabling JS is a * BIG * deal.
>> So if allowing at least some JavaScipt is inevitable, then I think the Tor
>> devs have the right idea -- assume that some use of JS is a foregone
>> conclusion and protect the users from the additional exposure to
>> fingerprinting in a way that makes them all look as similar as possible.
>> If the user prefers to have more privacy / security by forsaking some
>> anonymity by disabling JavaScript and thereby making him/herself
>> identifiable as a smaller subset of overall Tor Browser users, that's
>> his/her option.
> Yes, in a smaller subset.  But, what good is being in a larger set of Tor
> users (that leave JS enabled), if doing so allows sites / trackers to
> clearly identify the same browser at multiple sites, or even end to end of
> Tor circuits, for advanced adversaries?
> "Hiding" in a crowd, where you're still clearly identifiable doesn't make
> much sense.
> Back to one main school of thought:  * an adversary needs X bits of
> identifying info * to accurately identify the same browser at multiple
> sites, or end to end in Tor circuits.
> Do you want to be in a large crowd, where everyone reveals well over the
> required bits ii needed to accurately identify each one?
> Or be in a smaller crowd, but users can't be individually identified - end
> to end, or site to site?
> Unless this business of "necessary bits of identifying info to identify
> the same browser" is inaccurate & blown out of proportion.
> That's where I have to rely on * real * experts.  Not on feelings or
> supposition.
> Either the results from repeated tests I've done, separated by many
> months, are meaningful or they're not.
> Either ~ 33 bits of info (or anything close) will allow identifying a
> browser, or it won't.
>    But in that instance, said user should probably be using
>> Tails to remedy those sorts of problems since Tails addresses even more
>> fingerprinting issues.
>>  If Tails, or any other means is needed to provide anonymity (while still
> being able to actually use the web), then those should be a part of Tor /
> TBB.
> Unless the only goal is to hide destinations from ones ISP, then providing
> only part of what's needed in TBB for reasonable anonymity is...
> *"Here's a browser / network that'll hide your IPa.  BTW, if you use it w/
> JS, you can be identified at each end of a circuit and at each website."*
> --
> tor-talk mailing list - tor-talk at lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

More information about the tor-talk mailing list