[tor-talk] New methods / research to detect add-ons?

pacifica at riseup.net pacifica at riseup.net
Tue Sep 29 15:44:44 UTC 2015 

Thanks aka -- I'm familiar with the conventional wisdom that add-ons 
make you more unique... but I am really looking for any formal study or 
code PoC that perhaps identifies more direct methods of detecting 
add-ons. Perhaps it's different for every add-on, and it probably is, 
especially considering some add-ons may not be reviewed for 
security/privacy at all. So some library would probably need to be 
compiled and maintained to try to exhaustively detect all known add-ons, 
similar to fingerprint.js.

The current logic (AFAIK) would be: if websiteA.com hasn't developed a 
detection technique for Add-On-X, then it can't detect it. I suspect 
add-ons could be detected more directly, but I have not seen any study 
or code to support that yet.

To be clear, I'm not arguing that TBB's design logic is flawed here at 
all -- I know it's not, and I can think of a _lot_ of reasons why, a 
couple of which you listed. Anything that distinguishes you from "the 
herd" is "bad" to the extent it doesn't catastrophically compromise your 
security.

But I'm still looking for something a bit more formal in terms of 
discussing a quantitative, or pseudo-quantitative impact on anonymity / 
privacy by add-on detection either in code PoC or academic research...

Thank you for your reply. I completely agree with TP's position on 
add-ons and often advocate for the same. Just playing devil's 
advocate... :)

Thanks,

pacifica


On 2015-09-29 15:14, aka wrote:
> Every add-on installed/not installed gives you one more bit of 
> detection.
> For example to detect HTTPS-Everywhere you start a http connection via
> javascript and check if it gets automaticly upgraded to https. To 
> detect
> Adblock you check via javascript if a certain ad got loaded. To detect
> Scriptblock you check if javascript got executed at all.The three
> examples above give you 3 more bits, so your detection got 8 times more
> targeted.
> If the NSA now records you visiting an internet forum via TBB and
> leaking something and detect another visitor with the same 3 bits set
> looking for a train scheduele, they can verify with a high confidence
> you posted that message and live in that area.
> That's why it's important that every TBB installation has the same
> Http-Header values and same add-ons.
> You don't need any studies, it's simple common knowledge.
> 
> pacifica at riseup.net wrote:
>> Hello afternoon / evening / morning tor-talk -- I am hoping that 
>> someone
>> can point me in the right direction. I know it is well-discussed that
>> adding Firefox add-ons to the Tor Browser Bundle decreases anonymity,
>> but I would like to review the studies myself. I'm having trouble
>> finding credible research where detection of add-ons has resulting in 
>> a
>> significant decrease in anonymity... can someone please point me to
>> those resources?
>> 
>> To be explicit, I am not concerned with "plug-ins" like Java or Flash,
>> but rather "add-ons" like HTTPS everywhere or Privacy Badger.
>> 
>> Thanks in advance.
>> 
>> pacifica

More information about the tor-talk mailing list