a great post that was published a few years ago on Matt Traudt’s blog with some tips for people using Tor and the Tor Browser.

it also addresses common misconceptions like disabling JS and using fingerprinting tests, which unfortunately I see floating around every other day on the internet.

    • fishonthenet@lemmy.mlOP
      link
      fedilink
      arrow-up
      0
      ·
      edit-2
      3 years ago

      I just ran TBB and used deviceinfo.me to verify

      ironic how this is posted below an article that says that testing websites are not reliable and that you should not read into the results unless you understand them. I don’t think this is the case, sorry about being painfully honest but I don’t want people to freak out over tests instead of reading a well written article:

      • all of the metrics you mention as spoofed (plus a lot more, even ones that you mention in your list like navigator UA, window size, TP on/off, color depth, private mode…) carry close to no entropy. that’s because Tor Browser has a crowd and users fit in that crowd, so even if the script was advanced to go over all the metrics covered by TB (which most of the time isn’t the case), the crowd would allow you to fit in.
      • the spoofed UA in the http-header is actually for passive fingerprinting. generally speaking, your actual OS cannot be spoofed and even with JS disabled it can be bypassed by using CSS/fonts. while it’s true that TB safest mode restricts the font list and it will probably defeat most PoC out there (I think? I don’t remember but it should) it’s a big sacrifice in terms of usability when you could simply fit in with the crowd of people using TB on your same OS: arguably that’s good enough for almost everyone.
      • timing attacks are mitigated.
      • stuff like position in page, last item clicked, cursor position etc is fuzzy, how do you fingerprint based on that? plus https://github.com/arkenfox/TZP#-fingerprints-are-always-loose

      You want to know what a JS enabled Tor Browser looks like? A standard Firefox private mode tab with uBlock Origin medium mode and arkenfox user.js applied.

      that’s simply not true. TB has further enhancement and code changes, it is based on ESR plus it’s not the same as a private window at all since private mode does not write to disk for example. most importantly tho: TB has crowd and the Tor network, that’s vital and a huge difference. a traffic analysis would also probably identify Firefox + uBO in medium mode vs TB. also, arkenfox does not try to make Firefox turn into TB, that’s clearly stated in the wiki and I would know as I am a repo admin :-)

      Can the author explain me why keeping JS on is so helpful

      usability, a browser with JS disabled by default is not a good everyday browser for most. the more people use Tor Browser daily and have a good experience with it, the larger the crowd gets.

      All the above information I mentioned is trackable for…

      I mean once you are subscribed, why would they want to fingerprint you? they already know who you are. when facebook operates as third party it will be isolated plus on a different circuit and with fingerprinting protection, plus (from arkenfox’s wiki):

      if a fingerprinting script should run, it would need to be universal or widespread (i.e it uses the exact same canvas, audio and webgl tests among others - most aren’t), shared by a data broker (most aren’t), not be naive (most are) and not be just first party or used solely for bot detection and fraud prevention (most probably are)

      I also don’t get what the difference between typing private stuff on facebook on tor or behind a vpn or on your ISP’s network is. however I must say that I still understand why from a “peace of mind” perspective it makes sense to keep stuff isolated, so as I said above mine is not really a strong opinion here.

      sorry about typing a lot, but I figured this was valuable information to share, despite being nothing new.

        • kixik@lemmy.ml
          link
          fedilink
          arrow-up
          1
          ·
          2 years ago

          Sorry if way too OT, :( What torrent i2p client are you using? I don’t like the idea of vuze with a plugin, neither biglybt. I’m more inclined to something like rtorrent (ncurses, and if used with detached screen, then on any ssh session you can remotely monitor, without needing additional remote accesses or web publishing)…

            • kixik@lemmy.ml
              link
              fedilink
              arrow-up
              1
              ·
              2 years ago

              ohh, so I can use any torrent client (rtorrent for example), as long as I only use i2p sort of trackers, or so I understand from your post, and also from the wiki, perhaps specifying the binding address and port, or something like that…

                • kixik@lemmy.ml
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  2 years ago

                  Don’t worry, I checked on BiglyBT before. It does the dual function, it does hook to i2p trackers, which are special, and can as well hook to clear internet trackers, and whatever is being downloaded can be shared and exposed on both. It’s a specialized i2p torrent client, like vuze.

                  That’s what I was trying to avoid using, :( I’m looking to see if I could use any torrent client, and just tunnel its traffic into the i2p router, like if it were a VPN or ssh tunnel. But so far, it seems you need a specialized torrent client, which can connect as a minimum, to i2p trackers, and use the different i2p file sharing protocols…

                  If I’m mistaken, let me know, but it seems that’s the only way. At least what I’ve read. Oh well, dI don’t trust VPNs, and I don’t like the idea of using something I don’t trust, unless forced to do it…

                  Thanks a lot !