a great post that was published a few years ago on Matt Traudt’s blog with some tips for people using Tor and the Tor Browser.

it also addresses common misconceptions like disabling JS and using fingerprinting tests, which unfortunately I see floating around every other day on the internet.

  • fishonthenet@lemmy.mlOP
    link
    fedilink
    arrow-up
    0
    ·
    edit-2
    3 years ago

    I just ran TBB and used deviceinfo.me to verify

    ironic how this is posted below an article that says that testing websites are not reliable and that you should not read into the results unless you understand them. I don’t think this is the case, sorry about being painfully honest but I don’t want people to freak out over tests instead of reading a well written article:

    • all of the metrics you mention as spoofed (plus a lot more, even ones that you mention in your list like navigator UA, window size, TP on/off, color depth, private mode…) carry close to no entropy. that’s because Tor Browser has a crowd and users fit in that crowd, so even if the script was advanced to go over all the metrics covered by TB (which most of the time isn’t the case), the crowd would allow you to fit in.
    • the spoofed UA in the http-header is actually for passive fingerprinting. generally speaking, your actual OS cannot be spoofed and even with JS disabled it can be bypassed by using CSS/fonts. while it’s true that TB safest mode restricts the font list and it will probably defeat most PoC out there (I think? I don’t remember but it should) it’s a big sacrifice in terms of usability when you could simply fit in with the crowd of people using TB on your same OS: arguably that’s good enough for almost everyone.
    • timing attacks are mitigated.
    • stuff like position in page, last item clicked, cursor position etc is fuzzy, how do you fingerprint based on that? plus https://github.com/arkenfox/TZP#-fingerprints-are-always-loose

    You want to know what a JS enabled Tor Browser looks like? A standard Firefox private mode tab with uBlock Origin medium mode and arkenfox user.js applied.

    that’s simply not true. TB has further enhancement and code changes, it is based on ESR plus it’s not the same as a private window at all since private mode does not write to disk for example. most importantly tho: TB has crowd and the Tor network, that’s vital and a huge difference. a traffic analysis would also probably identify Firefox + uBO in medium mode vs TB. also, arkenfox does not try to make Firefox turn into TB, that’s clearly stated in the wiki and I would know as I am a repo admin :-)

    Can the author explain me why keeping JS on is so helpful

    usability, a browser with JS disabled by default is not a good everyday browser for most. the more people use Tor Browser daily and have a good experience with it, the larger the crowd gets.

    All the above information I mentioned is trackable for…

    I mean once you are subscribed, why would they want to fingerprint you? they already know who you are. when facebook operates as third party it will be isolated plus on a different circuit and with fingerprinting protection, plus (from arkenfox’s wiki):

    if a fingerprinting script should run, it would need to be universal or widespread (i.e it uses the exact same canvas, audio and webgl tests among others - most aren’t), shared by a data broker (most aren’t), not be naive (most are) and not be just first party or used solely for bot detection and fraud prevention (most probably are)

    I also don’t get what the difference between typing private stuff on facebook on tor or behind a vpn or on your ISP’s network is. however I must say that I still understand why from a “peace of mind” perspective it makes sense to keep stuff isolated, so as I said above mine is not really a strong opinion here.

    sorry about typing a lot, but I figured this was valuable information to share, despite being nothing new.

    • TheAnonymouseJoker@lemmy.mlM
      link
      fedilink
      arrow-up
      1
      arrow-down
      1
      ·
      edit-2
      3 years ago

      ironic how this is posted below an article that says that testing websites are not reliable and that you should not read into the results unless you understand them

      Turns out, he is not talking about the kind of people I fit in. I am using Tor for more than a decade at this point, and have been a very avid I2P torrent user as well since many years. If not the same, I compare pretty well in experience in this aspect.

      He is talking about the kind of people who open Panopticon for fingerprint tests and misread the fractions and decimal numbers and information there when comparing, and then scream on reddit with misinterpreted posts aimed to get awards and upvotes at the cost of sanity of many people.

      deviceinfo.me is not the kind of site and data used for demonstrations he is talking about. I have a fair amount of experience to make this claim.

      To expand on the attacks that are mitigated, avoidance is a better measure than mitigation. Hence the reason why I say noJS is a better policy, the next best is turning on JS manually when needed. Keeping JS on all the time is a fool’s errand if they want to go beyond standard levels of privacy and anonymity. The author himself mentions in the last line as a subtle disclaimer why it can be a choice.

      You know how gait movements IRL work? Turns out, Google Recaptcha makes very good use of how you move and click with cursor on the captcha boxes. If you thought AI/ML image training was the only thing Google was making users do, now you know something new.

      You want to know what a JS enabled Tor Browser looks like? A standard Firefox private mode tab with uBlock Origin medium mode and arkenfox user.js applied.

      that’s simply not true. TB has further enhancement and code changes, it is based on ESR plus it’s not the same as a private window at all since private mode does not write to disk for example. most importantly tho: TB has crowd and the Tor network

      Firefox has a bigger userbase than Tor Browser users, and it is a pretty uncontested claim logically. Firefox has Tor Project’s code for anti fingerprinting and per site data isolation upstreamed to Firefox’s private browsing mode since the past 15-20 or so versions now.

      usability, a browser with JS disabled by default is not a good everyday browser for most. the more people use Tor Browser daily and have a good experience with it, the larger the crowd gets.

      Does that not make the argument for Firefox stronger for regular daily browsing usage, since it has an even bigger userbase? You can use uBlock Origin and you can enjoy Tor Browser’s dFPI and per site data isolation benefits in Firefox’s private browsing mode.

      I also don’t get what the difference between typing private stuff on facebook on tor or behind a vpn or on your ISP’s network is.

      You missed where I said how having JS on means you are keylogged easily. Your caps lock is also detectable, just to be clear. You are also forgetting that making strings out of this keylogged stuff, and then applying stylometry analysis is a very easy and cost effective way into unmasking identities behind pseudonyms. I do this myself regularly as part of OSINT investigations. It is how I have also unmasked many sockpuppets on Lemmy, Matrix, Reddit in the past few years.

      The author has a very agreeable position with me on what he speaks, but it is like how anti-imperialist viewpoints sound very correct in today’s political scenario, but every single nuance does not have to be perfect to get the idea across. He is getting the idea across here, and that is why you are arguing at length with me.

      Edit: I think this explanation is lacking. I must expand on it.

      First I will get out of the way elements that can be spoofed with JS on:

      • browser build number, country and GPS coordinates, CPU cores, user agents

      Now it is time to address elements which having JS on reveals. Feel free to correct me whatever is spoofed by Tor Browser.

      • OS Core
      • multiple nameserver connections, resolved and unresolved
      • private/incognito mode
      • tracking protection on or off
      • browser window size
      • monitor colour depth support
      • current page scroll position
      • current mouse cursor position
      • last key pressed (keylogging)
      • caps lock on or off
      • last cursor clicked position on page
      • estimation of your connection speed using page load time, network time, DNS lookup time, TCP connection time, server load time, page download time, browser load time

      Monitor colour depth support may not be a significant issue, as many have standard monitors.

      Can you explain me how these are spoofed in Tor Browser while having JS on? I have ignored the fonts as those are spoofed, and there are no timing attack vectors in this list. The last bullet point, if you want to talk about, can be used to identify if someone used a really fast connection ISP at an unusual place and time.

      Nameserver connections can be a possible issue with exit node identification, if we are to assume the OPSEC of an average journalist just downloading and using Tor Browser on any machine. If we assume relays can protect them, we have other vectors here, like…

      … page scroll and mouse cursor positions, caps lock on or off, last key pressed.

      Keylogging, as explained earlier, is a very cost effective way to unmask people. Telling people on top of it to feel free to use a personal Facebook account over Tor network, puts them in the mindset of typing personally identifiable messages, even becoming trackable down to how many errors a person makes and hits Backspace key. Imagine people typing messages under a pseudonym on a forum anonymously in a couple tabs besides the Facebook/Twitter tab, and writing with the same mental personality in mind.

      I think this reply now feels a little more apt.

      • kixik@lemmy.ml
        link
        fedilink
        arrow-up
        0
        ·
        3 years ago

        Sorry if way too OT, :( What torrent i2p client are you using? I don’t like the idea of vuze with a plugin, neither biglybt. I’m more inclined to something like rtorrent (ncurses, and if used with detached screen, then on any ssh session you can remotely monitor, without needing additional remote accesses or web publishing)…

          • kixik@lemmy.ml
            link
            fedilink
            arrow-up
            0
            ·
            3 years ago

            ohh, so I can use any torrent client (rtorrent for example), as long as I only use i2p sort of trackers, or so I understand from your post, and also from the wiki, perhaps specifying the binding address and port, or something like that…

            • TheAnonymouseJoker@lemmy.mlM
              link
              fedilink
              arrow-up
              0
              arrow-down
              1
              ·
              3 years ago

              I only know of BiglyBT that works with I2P, never tried rTorrent with I2P trackers. I just use the in-browser torrent client whenI need to once in a few months. Sorry if I cannot help here, you might need to hunt some documentation or wiki for I2P port binding.

              • kixik@lemmy.ml
                link
                fedilink
                arrow-up
                0
                ·
                3 years ago

                Don’t worry, I checked on BiglyBT before. It does the dual function, it does hook to i2p trackers, which are special, and can as well hook to clear internet trackers, and whatever is being downloaded can be shared and exposed on both. It’s a specialized i2p torrent client, like vuze.

                That’s what I was trying to avoid using, :( I’m looking to see if I could use any torrent client, and just tunnel its traffic into the i2p router, like if it were a VPN or ssh tunnel. But so far, it seems you need a specialized torrent client, which can connect as a minimum, to i2p trackers, and use the different i2p file sharing protocols…

                If I’m mistaken, let me know, but it seems that’s the only way. At least what I’ve read. Oh well, dI don’t trust VPNs, and I don’t like the idea of using something I don’t trust, unless forced to do it…

                Thanks a lot !

      • fishonthenet@lemmy.mlOP
        link
        fedilink
        arrow-up
        0
        ·
        edit-2
        3 years ago

        other than websites that return a score I argue that websites that return values are not of much value if you do not know how much entropy they carry (eg. are they the same for all the people on the same OS?) or how they are handled in the browser with various mitigations. it’s one thing to read a value, but it’s a whole different thing to understand if and how it can be used, leave alone against a specific tool.

        everything is documented on TB’s official gitlab btw, people working on it know their stuff.

        Firefox has a bigger userbase than Tor Browser users, and it is a pretty uncontested claim logically. Firefox has Tor Project’s code for anti fingerprinting and per site data isolation upstreamed to Firefox’s private browsing mode since the past 15-20 or so versions now.

        Firefox does not have the crowd that Tor Browser has, it does not have the Tor network, RFP is not enabled by default and users will make changes to their settings. even if Firefox has the larger user base there’s no argument for Firefox having a better crowd, sadly there’s no linear correlation in this case.

        yes, you can harden it, but the crowd is so small that you will not defeat advanced scripts, nor you should expect to. hardened setups are also not equal as projects like arkenfox and librewolf are going to be tweaked by users post hardening (as they very much should).

        applying stylometry analysis

        this is opsec and it does not strictly apply to the tool you’re using so I don’t think it’s a valid argument for any of the points explained above.

        as for the list you wrote:

        • OS Core -> as I said above it can be bypassed even without JS, see TZP and others. that’s why TB has different crowds for different OSes and you just fit in.
        • multiple nameserver -> I’m not educated on how the nameserver test works, so I will just shut up on this one.
        • resolved and unresolved connections -> traffic analysis does not require JS and using something like uBO or even tracking protection will manipulate your traffic, which is why stock TB does not use any ad blocker. there was a TB issue where LocalCDN was discussed and a dev said it was easy with the proper traffic analysis to detect the extension.
        • private mode -> it is detectable but one can just avoid using it even if he has JS on. I’ve never seen it recommended to use always-on incognito so I don’t see the issue.
        • tracking protection on or off -> it is off and you cannot enable it in TB (edit: issue).
        • browser window size -> rounded values protect the real window size hence you fit in the crowd.
        • monitor colour -> iirc it simply doesn’t carry entropy, there were some TB tickets where this was discussed.
        • cursor, mouse, last click, caps lock etc -> these are all volatile and fuzzy fping wise. if you can provide a PoC or a paper where these are used to successfully fingerprint a browser then ok, otherwise I don’t see the issue here as well (edit: I found this issue about mouse movement which is 6yo, it’s very low priority apparently and it suggests no JS as only mitigation).
        • various estimations and timing -> they are all mitigated, try to run a test and watch TB or Firefox with RFP always return rounded ms values. not to mention Tor circuits provide further protection against everything you mention network wise (edit: in case I’m missing something floating out there I’m ready to stand corrected and I would love a link).

        “TB should cover all metrics” (I know you haven’t said it, I just didn’t know how to phrase it better lol) is not a safe assumption: not all metrics are equal, they do not all carry entropy nor they are all valuable fping methods. this brings us back to the initial part of this comment.

        the rest of the stuff you discussed, like typing in the wrong tab etc, is mostly opsec and as I said I also value the added peace of mind, but it doesn’t make logins on Tor bad per-se. keyloggers are also a bit out of scope for this discussion imo.

        tldr: TB covers enough metrics for most threat models even with JS on - naive scripts swallow the pill, advanced ones are defeated by the crowd, and don’t forget the network -, and the benefits of disabling JS are not that big.

        ps thanks for getting back despite the lengthy comments, I added some edits for completeness on both sides of the discussion :-)