a great post that was published a few years ago on Matt Traudt’s blog with some tips for people using Tor and the Tor Browser.

it also addresses common misconceptions like disabling JS and using fingerprinting tests, which unfortunately I see floating around every other day on the internet.

    • fishonthenetOP
      link
      fedilink
      arrow-up
      1
      ·
      edit-2
      3 years ago

      other than websites that return a score I argue that websites that return values are not of much value if you do not know how much entropy they carry (eg. are they the same for all the people on the same OS?) or how they are handled in the browser with various mitigations. it’s one thing to read a value, but it’s a whole different thing to understand if and how it can be used, leave alone against a specific tool.

      everything is documented on TB’s official gitlab btw, people working on it know their stuff.

      Firefox has a bigger userbase than Tor Browser users, and it is a pretty uncontested claim logically. Firefox has Tor Project’s code for anti fingerprinting and per site data isolation upstreamed to Firefox’s private browsing mode since the past 15-20 or so versions now.

      Firefox does not have the crowd that Tor Browser has, it does not have the Tor network, RFP is not enabled by default and users will make changes to their settings. even if Firefox has the larger user base there’s no argument for Firefox having a better crowd, sadly there’s no linear correlation in this case.

      yes, you can harden it, but the crowd is so small that you will not defeat advanced scripts, nor you should expect to. hardened setups are also not equal as projects like arkenfox and librewolf are going to be tweaked by users post hardening (as they very much should).

      applying stylometry analysis

      this is opsec and it does not strictly apply to the tool you’re using so I don’t think it’s a valid argument for any of the points explained above.

      as for the list you wrote:

      • OS Core -> as I said above it can be bypassed even without JS, see TZP and others. that’s why TB has different crowds for different OSes and you just fit in.
      • multiple nameserver -> I’m not educated on how the nameserver test works, so I will just shut up on this one.
      • resolved and unresolved connections -> traffic analysis does not require JS and using something like uBO or even tracking protection will manipulate your traffic, which is why stock TB does not use any ad blocker. there was a TB issue where LocalCDN was discussed and a dev said it was easy with the proper traffic analysis to detect the extension.
      • private mode -> it is detectable but one can just avoid using it even if he has JS on. I’ve never seen it recommended to use always-on incognito so I don’t see the issue.
      • tracking protection on or off -> it is off and you cannot enable it in TB (edit: issue).
      • browser window size -> rounded values protect the real window size hence you fit in the crowd.
      • monitor colour -> iirc it simply doesn’t carry entropy, there were some TB tickets where this was discussed.
      • cursor, mouse, last click, caps lock etc -> these are all volatile and fuzzy fping wise. if you can provide a PoC or a paper where these are used to successfully fingerprint a browser then ok, otherwise I don’t see the issue here as well (edit: I found this issue about mouse movement which is 6yo, it’s very low priority apparently and it suggests no JS as only mitigation).
      • various estimations and timing -> they are all mitigated, try to run a test and watch TB or Firefox with RFP always return rounded ms values. not to mention Tor circuits provide further protection against everything you mention network wise (edit: in case I’m missing something floating out there I’m ready to stand corrected and I would love a link).

      “TB should cover all metrics” (I know you haven’t said it, I just didn’t know how to phrase it better lol) is not a safe assumption: not all metrics are equal, they do not all carry entropy nor they are all valuable fping methods. this brings us back to the initial part of this comment.

      the rest of the stuff you discussed, like typing in the wrong tab etc, is mostly opsec and as I said I also value the added peace of mind, but it doesn’t make logins on Tor bad per-se. keyloggers are also a bit out of scope for this discussion imo.

      tldr: TB covers enough metrics for most threat models even with JS on - naive scripts swallow the pill, advanced ones are defeated by the crowd, and don’t forget the network -, and the benefits of disabling JS are not that big.

      ps thanks for getting back despite the lengthy comments, I added some edits for completeness on both sides of the discussion :-)

    • kixik
      link
      fedilink
      arrow-up
      1
      ·
      3 years ago

      Sorry if way too OT, :( What torrent i2p client are you using? I don’t like the idea of vuze with a plugin, neither biglybt. I’m more inclined to something like rtorrent (ncurses, and if used with detached screen, then on any ssh session you can remotely monitor, without needing additional remote accesses or web publishing)…

        • kixik
          link
          fedilink
          arrow-up
          1
          ·
          3 years ago

          ohh, so I can use any torrent client (rtorrent for example), as long as I only use i2p sort of trackers, or so I understand from your post, and also from the wiki, perhaps specifying the binding address and port, or something like that…

            • kixik
              link
              fedilink
              arrow-up
              1
              ·
              3 years ago

              Don’t worry, I checked on BiglyBT before. It does the dual function, it does hook to i2p trackers, which are special, and can as well hook to clear internet trackers, and whatever is being downloaded can be shared and exposed on both. It’s a specialized i2p torrent client, like vuze.

              That’s what I was trying to avoid using, :( I’m looking to see if I could use any torrent client, and just tunnel its traffic into the i2p router, like if it were a VPN or ssh tunnel. But so far, it seems you need a specialized torrent client, which can connect as a minimum, to i2p trackers, and use the different i2p file sharing protocols…

              If I’m mistaken, let me know, but it seems that’s the only way. At least what I’ve read. Oh well, dI don’t trust VPNs, and I don’t like the idea of using something I don’t trust, unless forced to do it…

              Thanks a lot !