[tor-talk] Spoofing a browser profile to prevent fingerprinting

Georg Koppen gk at torproject.org
Wed Jul 30 06:44:40 UTC 2014

> With scripts allowed globally, Panopticlick sees another 2-3 bits. I
> suspect that much of the additional information is also the same for all
> Tor browsers, given what I've read about Tor-specific tweaks. If that's
> the case, this isn't a major issue.

That's not necessarily the case. But anyway, the current Panopticlick is
not a good way to test for Tor Browser uniqueness[1] (and see below).

> What is a major issue is the risk of being exploited through a
> JavaScript vulnerability. And that's why I always block scripts.

Note that we disable a bunch of JIT related preferences to mitigate that
risk[2] and are investing efforts in getting hardened builds deployed[3].

> The risk from doing that, of course, is that each user will tend to
> customize their NoScript profile in a distinct way. And that will allow
> websites to tell them apart.
> Even so, Panopticlick can't report anything about that. For that, one
> would need a version of Panopticlick that's restricted to assessing and
> comparing Tor browser profiles. Right?

Yes. There are plans for one which is helpful in this regard[4][5].


[1] https://bugs.torproject.org/6119
[2] https://bugs.torproject.org/9387#comment:17
[3] https://bugs.torproject.org/10599
[4] https://www.torproject.org/getinvolved/volunteer.html.en#panopticlick
[5] https://lists.torproject.org/pipermail/tor-dev/2014-March/006486.html

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20140730/8716db20/attachment.sig>

More information about the tor-talk mailing list