• 12 Posts
  • 61 Comments
Joined 7M ago
cake
Cake day: Oct 26, 2021

help-circle
rss

relevant -> https://lemmy.ml/post/209597

I would also argue that the about config changes he points to are a bit鈥eh


thank you, while this is not an official extension and we cannot fix it, we might want to keep track of this and inform users if it no longer works.


we are rolling out a new update with two fixes, including the one above with the homepage.


librewolf v100 rollout

hello, the new release is out on all platforms. 鈥


I tried over and over to reproduce it in the past few days (see) but I just couldn鈥檛鈥


other than websites that return a score I argue that websites that return values are not of much value if you do not know how much entropy they carry (eg. are they the same for all the people on the same OS?) or how they are handled in the browser with various mitigations. it鈥檚 one thing to read a value, but it鈥檚 a whole different thing to understand if and how it can be used, leave alone against a specific tool.

everything is documented on TB鈥檚 official gitlab btw, people working on it know their stuff.

Firefox has a bigger userbase than Tor Browser users, and it is a pretty uncontested claim logically. Firefox has Tor Project鈥檚 code for anti fingerprinting and per site data isolation upstreamed to Firefox鈥檚 private browsing mode since the past 15-20 or so versions now.

Firefox does not have the crowd that Tor Browser has, it does not have the Tor network, RFP is not enabled by default and users will make changes to their settings. even if Firefox has the larger user base there鈥檚 no argument for Firefox having a better crowd, sadly there鈥檚 no linear correlation in this case.

yes, you can harden it, but the crowd is so small that you will not defeat advanced scripts, nor you should expect to. hardened setups are also not equal as projects like arkenfox and librewolf are going to be tweaked by users post hardening (as they very much should).

applying stylometry analysis

this is opsec and it does not strictly apply to the tool you鈥檙e using so I don鈥檛 think it鈥檚 a valid argument for any of the points explained above.

as for the list you wrote:

  • OS Core -> as I said above it can be bypassed even without JS, see TZP and others. that鈥檚 why TB has different crowds for different OSes and you just fit in.
  • multiple nameserver -> I鈥檓 not educated on how the nameserver test works, so I will just shut up on this one.
  • resolved and unresolved connections -> traffic analysis does not require JS and using something like uBO or even tracking protection will manipulate your traffic, which is why stock TB does not use any ad blocker. there was a TB issue where LocalCDN was discussed and a dev said it was easy with the proper traffic analysis to detect the extension.
  • private mode -> it is detectable but one can just avoid using it even if he has JS on. I鈥檝e never seen it recommended to use always-on incognito so I don鈥檛 see the issue.
  • tracking protection on or off -> it is off and you cannot enable it in TB (edit: issue).
  • browser window size -> rounded values protect the real window size hence you fit in the crowd.
  • monitor colour -> iirc it simply doesn鈥檛 carry entropy, there were some TB tickets where this was discussed.
  • cursor, mouse, last click, caps lock etc -> these are all volatile and fuzzy fping wise. if you can provide a PoC or a paper where these are used to successfully fingerprint a browser then ok, otherwise I don鈥檛 see the issue here as well (edit: I found this issue about mouse movement which is 6yo, it鈥檚 very low priority apparently and it suggests no JS as only mitigation).
  • various estimations and timing -> they are all mitigated, try to run a test and watch TB or Firefox with RFP always return rounded ms values. not to mention Tor circuits provide further protection against everything you mention network wise (edit: in case I鈥檓 missing something floating out there I鈥檓 ready to stand corrected and I would love a link).

鈥淭B should cover all metrics鈥 (I know you haven鈥檛 said it, I just didn鈥檛 know how to phrase it better lol) is not a safe assumption: not all metrics are equal, they do not all carry entropy nor they are all valuable fping methods. this brings us back to the initial part of this comment.

the rest of the stuff you discussed, like typing in the wrong tab etc, is mostly opsec and as I said I also value the added peace of mind, but it doesn鈥檛 make logins on Tor bad per-se. keyloggers are also a bit out of scope for this discussion imo.

tldr: TB covers enough metrics for most threat models even with JS on - naive scripts swallow the pill, advanced ones are defeated by the crowd, and don鈥檛 forget the network -, and the benefits of disabling JS are not that big.

ps thanks for getting back despite the lengthy comments, I added some edits for completeness on both sides of the discussion :-)


I just ran TBB and used deviceinfo.me to verify

ironic how this is posted below an article that says that testing websites are not reliable and that you should not read into the results unless you understand them. I don鈥檛 think this is the case, sorry about being painfully honest but I don鈥檛 want people to freak out over tests instead of reading a well written article:

  • all of the metrics you mention as spoofed (plus a lot more, even ones that you mention in your list like navigator UA, window size, TP on/off, color depth, private mode鈥) carry close to no entropy. that鈥檚 because Tor Browser has a crowd and users fit in that crowd, so even if the script was advanced to go over all the metrics covered by TB (which most of the time isn鈥檛 the case), the crowd would allow you to fit in.
  • the spoofed UA in the http-header is actually for passive fingerprinting. generally speaking, your actual OS cannot be spoofed and even with JS disabled it can be bypassed by using CSS/fonts. while it鈥檚 true that TB safest mode restricts the font list and it will probably defeat most PoC out there (I think? I don鈥檛 remember but it should) it鈥檚 a big sacrifice in terms of usability when you could simply fit in with the crowd of people using TB on your same OS: arguably that鈥檚 good enough for almost everyone.
  • timing attacks are mitigated.
  • stuff like position in page, last item clicked, cursor position etc is fuzzy, how do you fingerprint based on that? plus https://github.com/arkenfox/TZP#-fingerprints-are-always-loose

You want to know what a JS enabled Tor Browser looks like? A standard Firefox private mode tab with uBlock Origin medium mode and arkenfox user.js applied.

that鈥檚 simply not true. TB has further enhancement and code changes, it is based on ESR plus it鈥檚 not the same as a private window at all since private mode does not write to disk for example. most importantly tho: TB has crowd and the Tor network, that鈥檚 vital and a huge difference. a traffic analysis would also probably identify Firefox + uBO in medium mode vs TB. also, arkenfox does not try to make Firefox turn into TB, that鈥檚 clearly stated in the wiki and I would know as I am a repo admin :-)

Can the author explain me why keeping JS on is so helpful

usability, a browser with JS disabled by default is not a good everyday browser for most. the more people use Tor Browser daily and have a good experience with it, the larger the crowd gets.

All the above information I mentioned is trackable for鈥

I mean once you are subscribed, why would they want to fingerprint you? they already know who you are. when facebook operates as third party it will be isolated plus on a different circuit and with fingerprinting protection, plus (from arkenfox鈥檚 wiki):

if a fingerprinting script should run, it would need to be universal or widespread (i.e it uses the exact same canvas, audio and webgl tests among others - most aren鈥檛), shared by a data broker (most aren鈥檛), not be naive (most are) and not be just first party or used solely for bot detection and fraud prevention (most probably are)

I also don鈥檛 get what the difference between typing private stuff on facebook on tor or behind a vpn or on your ISP鈥檚 network is. however I must say that I still understand why from a 鈥減eace of mind鈥 perspective it makes sense to keep stuff isolated, so as I said above mine is not really a strong opinion here.

sorry about typing a lot, but I figured this was valuable information to share, despite being nothing new.


I will start by saying that the author of the article was a tor researcher and dev so this gives some context on the content and me posting this.

which is a very risky thing to do for someone not familiar

may I ask why? I generally agree with the sentiment of the article but I don鈥檛 have a very strong opinion on this and maybe I鈥檓 missing something.

PS I don鈥檛 think the usual 鈥淚 will end up in a list of people who use Tor鈥 argument is a valid one.

Preferring JavaScript stay disabled is a better choice, the next best is only allowing JavaScript when needed momentarily.

I disagree with this, it鈥檚 simply overkill for 99% of the people with arguably no benefit at all. what鈥檚 there to gain?


About to use Tor. Any security tips?

a great post that was published a few years ago on Matt Traudt鈥檚 blog with some tips for people using Tor and the Tor Browser. 鈥


You should certainly export your passwords from Bitwarden so they can鈥檛 keep them hostage.

imo your tone is a bit blowing this out of proportion, you can stay on the free tier, pay regularly for a very good service or even self-host. they are not keeping your password 鈥渉ostage鈥.


librewolf v99 rollout

hello, the new release should be out on all platforms. sorry for the delay we had some slowdowns with the settings and then a good portion of our patches needed a rebase. we should have done stuff earlier but personal life got in the way, but well here we are in the end :-) 鈥


opinions are formed from YouTube videos

well I鈥檓 not asking that you take my words for it:

I also don鈥檛 agree with the above video (and feel free to discuss in here why you also don鈥檛), but don鈥檛 question the level of research without first checking.


This makes me question the entire Librewolf project. If opinions are formed based on random YouTube creators, how can we trust any decision made on Librewolf?

I watched the video now, and while I get that the stuff said in it doesn鈥檛 make sense I fail to understand what made you assume that we form opinions based on youtube videos. if you want to know how you can trust the decisions check gitlab and see how everything is documented and researched properly.


there鈥檚 one listed on that same page!


Btw choosing brave search as a search engine for librewolf is a bad idea because that鈥檒l only lead to people using brave in the long run

I鈥檒l leave the rest to others as I haven鈥檛 watched the video nor I followed well enough the discussion between you, @opalraava@lemmy.ml and @Echedenyan@lemmy.ml.

regarding this tho, I wanted to say that we used to have brave in the search engine list, and it was then removed in order to reduce the length of it, and keep only what鈥檚 essential. the list is already pretty long as right now, so I don鈥檛 think it鈥檚 coming back anytime soon, leave alone making it default. IIRC we decided the same day as the news came out that we were going to stick to DDG and just not give a fuck about everything outside of privacy, users can always change to what they like.

I personally would have loved to have searx as default but forcing users to default to a particular instance is a bad move imo. we still include it tho, as the project deserves attention. if we had more people helping maybe we could have setup a librewolf instance of some kind, but it is what is :-)


I think that鈥檚 not possible, sorry!



One usually sees only articles introducing new extensions and prompting to install them, not the other way around.

yup, plus I recognize the average user can easily keep track of how built-in protections and extensions might overlap. nowadays once hardened firefox makes most of them useless, nice to see.


a portion of the arkenfox wiki where a bunch of popular, yet unnecessary, extensions are discussed. make good use of it :-)鈥



librewolf having a fediverse party tonight \o/


nice to see you around enjoying the chilled lemmy vibe, welcome :-)


I asked the arch鈥檚 (and more and more) maintainer about this, she said:

we provide aarch64 and x86_64 builds in the releases there, the PKGBUILD builds both, and librewolf-bin in the AUR provides a prebuilt aarch64 build as well as x86_64


https://gitlab.com/librewolf-community/browser/arch

I think artix does its own builds, in the past they have been a bit slow with updates.


librewolf v98 rollout

hello :-) as usual the new librewolf release is on its way or already out, depending on your platform. 鈥


librewolf v97 rollout

hello everyone, new librewolf release on the way or already out, depending on your platform. 鈥


librewolf v96 rollout

hi everyone! the new release is either out or on the way, and this is a pretty big one for us. 鈥


what do you use as a search engine?

I鈥檓 currently working on re-evaluating our search engine selection (reading privacy policies and all that good stuff), to see what to keep, remove, maybe add. I figured I might use some input from lemmy. 鈥


librewolf v95 rollout

back again with another major release (and yes I only post for major releases but every minor firefox release equals to a new librewolf release). osx is out, linux and windows are getting worked on, you can expect them soon. 鈥


new website

as the title says, the new website is live and fully functional. 鈥


librewolf v94 rollout

hello everyone. I released librewolf v94 on osx, it should be coming very soon for linux and windows. 鈥


one of the maintainers says hi.

hello everyone, I鈥檓 one of the maintainers, mostly involved with osx and the settings. just joined the community with a fresh account. 鈥


Moderates