Viewing a single comment thread. View all comments

ymir OP wrote

So if you check out panopticlick on the eff website, I think the strategy as far as fingerprinting goes, is that you try to blend in, with inaccurate information. I think switching your user agent is a much different thing than randomizing your user agent. I don't think you should randomize it, you switch between other very common user agents. I actually have a script that I use to get the most common user agents from a site that records them and I update my user agent based on the most common user agents. So to really get granular here, it is best for people to throw their browser through something like burp proxy every now and again and see what your browser is leaking. If you are blocking javascript, then there is no known way to determine what other plugins you are using unless they are leaking information themselves, which ghostery may very well be doing. If that is true, then it probably is better to use another solution, but from what I have read, ghostery respects your opting out of data collection. Again, if it were open source we could really vet that.

I don't think people should worry about plugins/add-ons creating a profile too much unless they are using javascript consistently, in which case everything else you do for privacy is kind of moot. I really appreciate that this site is 100% usable without enabling javascript. I think we need to start coding that way more frequently. If a site needs javascript, you better really trust them. But even something like jquery which is maintained by google and is pretty ubiquitous across the web, is really a bad idea.

I think decentraleyes is just as useful when using tor as it is otherwise. I personally block facebook and google in my hosts file and when not using tor, I never have a problem with content loading at this point because I am retrieving it locally instead of from a cdn. It works the same way via tor, but my hosts file never enters into the equation with tor since all of my dns requests are going through tor exclusively. However, if you run a session through burp with decentraleyes enabled and disabled, you will see an incredible amount of third party traffic without it. I prefer to control that and it is my belief that in so doing I have become more difficult to profile. I don't think that making fewer cdn requests is something that can really be used to profile you. It might be helpful with traffic analysis, but if that is happening to you, you are already in trouble and whether you make fewer cdn requests or not will not really make any difference. I don't think it is going to single you out though.

I think killing cookies when you close a tab automatically is really great for somebody that has their browser always open. It isn't much different than clicking new identity, except that it is not creating a new tunnel. The fact that it is automated is really important because most people get lazy, myself included. We need to make these good security practices as automatic as possible instead of leaving it in the users hand. It is just good practice to delete cookies and doing it without having to close your browser is a really handy feature. It might be one you find extraneous and others can make that call for themselves, but there really is no way to fingerprint somebody based on that occurring or not if they are already going through tor since your connection is already anonymized and it would be difficult to tell what other websites your were visiting at the same time. If anything, this practice prevents traffic analysis by collection of third party cookies or cookie staining, which was an attack that was recently demonstrated at defcon. To me that is an absolutely crucial plugin.

As I said in the post, these are plugins you may want to consider and I can make a good case for all of them. Ultimately Tor browser is setup pretty well for the average user, but these are things you can do to enhance the security. I think there are some other things I would like to see Tor Browser be a little more strict about, like blocking ssl versions that have known vulnerabilities. There is still a lot left up to the user that can mess you up. What ever the case, I think you should always take the time to record some sessions in burp proxy before you use your browser for something that you need a high level of anonymity for. If you are the average activist, you are probably good with just the tor browser bundle and you can consider the plugins that I mentioned or not.

It is also a good idea to run your browser through panopticlick with javascript enabled so you can see what is being leaked. I use a lot of those plugins specifically because they do better on the panopticlick test.

5

[deleted] wrote (edited )

1

ymir OP wrote

Are you talking about anonymizing within the network or performing traffic analysis from two endpoints? I think within the tor network, unless the crypto is broken, nobody should be able to see your user agent at all. I am sure most of the traffic leaving the network would definitely be Tor browser bundle, but since you are encrypted from the first hop to the entry node even, determining who you are from your user agent being unique seems hard unless you are doing other non-tor activities with the same browser. Traffic staining seems like a much bigger deal to me than analysis of user agent. I think it would be better to look like something other than tor at the endpoint you are trying to reach, so they would have to look up your IP to even determine that you were using TOR. If your user agent says it right off the bat, they don't even have to do a modicum of research to figure out that you are attempting to anonymize your traffic. I guess again it depends on your threat model. To me, maintaining my anonymity from the website I am visiting seems paramount, I assume an adversary capable of traffic analysis is going to be able to do traffic staining or other attacks quite easily and de-anonymize me quickly anyway. If that was my assumed adversary I might try to blend in a little more.

1

[deleted] wrote (edited )

0

ymir OP wrote (edited )

So, while I am sure you are right, but that profile goes out the window as soon as you switch user agents again. There are enough people on Tor that do switch user agents that I don't really think profiling you based solely on the fact that you are switching user agents and going through tor is particularly useful. I think if even more people did so, it would be even less useful, but that is just my perspective. I have worked on systems that use IP and User Agent together to build profiles, but should a user switch either of those things, the profiling has to start together. Connecting those profiles together would require a lot of data and a lot of guesswork, the accuracy of which is largely debatable. I believe I've already said this and I would stick with this, you shouldn't change tor browser unless you know what you are doing and the potential consequences. I know the potential consequences and I would prefer to make lots and lots of useless profiles on my usage that cannot be connected together easily, also making it harder to profile Tor users in general, than fit totally into the box of other tor users. Like I said previously if the NSA wants your history, they will just do a man in the browser attack or stain your traffic to at least correlate it to your original IP. For most adversaries that is impossible. If the NSA was my adversary I would rather run an ssh hidden service on a compromised machine somewhere and tunnel through that as well as changing my user agent to a very common one. I understand the risks of changing a user agent, but honestly I think doing so frequently as well as changing your tor identity frequently will ultimately make it harder to build any lasting profile on you.

1