[tor-talk] Spoofing a browser profile to prevent fingerprinting

Mirimir mirimir at riseup.net
Wed Jul 30 01:48:13 UTC 2014

I don't get that EFF's Panopticlick entropy and uniqueness estimates are
relevant to discussing Tor anonymity.

With the latest Tor browser in a Crunchbang 11 x64 VirtualBox VM without
guest extensions (rather unusual right there) I get 11.29 bits (one in
2,505) with default NoScript "Allow Scripts Globally". That's very close
to Ben's 12.06 bits (one in 4,260).

With NoScript toggled to "Forbid Scripts Globally", I get exactly what
Ben got: 9.05 bits (one in 529). And by the way, that's not the sum of
the individual browser characteristic results. As Joe notes, they're
mostly 1.75 bits, because Panopticlick can't determine them. And the
overall estimate seems to largely ignore them.

>From the results with scripts blocked, I conclude that Panopticlick sees
the same fingerprint from all Tor browsers that have NoScript blocking
all scripts. The "one in 529" arguably reflects the share of visitors
who are using Tor browser. It says nothing about differences between Tor

With scripts allowed globally, Panopticlick sees another 2-3 bits. I
suspect that much of the additional information is also the same for all
Tor browsers, given what I've read about Tor-specific tweaks. If that's
the case, this isn't a major issue.

What is a major issue is the risk of being exploited through a
JavaScript vulnerability. And that's why I always block scripts.

The risk from doing that, of course, is that each user will tend to
customize their NoScript profile in a distinct way. And that will allow
websites to tell them apart.

Even so, Panopticlick can't report anything about that. For that, one
would need a version of Panopticlick that's restricted to assessing and
comparing Tor browser profiles. Right?

More information about the tor-talk mailing list