Being a fervent Tor Browser user, i just tried with it and of course the fingerprinting failed. Several copies of it give me the same fingerprints: e56952dba176a47af3c051b626b64ff3 (Safer mode) 632e305f8a939e5ba6afd24eced586f0 (Safest mode)
That's because the Tor Browser, contrary to urban legend, is not just a browser that routes trafic through the tor network, but a firefox reworked (most of which is being upstreamed) explicitly to combat fingerprinting (some kind of digital black block if you will).
Overall that's an amazing compilation of modern web fingerprinting vectors. I'm just a little disappointed they left screen size (and maybe other obvious avenues) out of the demo. That would be a really cool way to demonstrate how Tor Browser's window cutting (or whatever that's called) works [0].
I read somewhere (but i can't vet the claims) there's enough variance on TCP implementations across systems to be able to distinguish, and i'm curious how the Tor Browser deals (or doesn't) with that. Could be an idea for v2 demo.
Thanks for the cool demo! I definitely enjoyed the script-like UX of the page. I wish more sites did stuff like that instead of defaulting to JS for every little animation or dynamic content.
[0] Tor Browser enforces actual width and height of the web rendering part of the window to be multiples of certain numbers, so that websites can provide experience for smaller/larger screens while retaining limited fingerprinting (eg. your fingerprint will not be affected by a user-configured or desktop-dependent window border, scroll bar width, or anything such)
Tor is not Tor Browser. Detecting outdated Tor Browser version would help you detect well-known vulns. Detecting non-TBB browser over Tor would suggest that side-channel attacks are available to defeat onion routing (eg. WebRTC leaks).
If you want privacy, use Tor Browser. It's the only privacy-friendly browser out there. All others have many holes and leaks and very little intentions to close them. Although Firefox has a "Tor uplift" project upstreaming patches from Tor Browser into Firefox's strict privacy mode.
I guess they can easily identify tor vs normal firefox(Especially with tls fingerprinting probably used by cloudflare). But the goal of fingerprinting is mostly to distinguish user. There can be sane use like collecting fingerprint to stop bot attacks from registering. But as we know selfish society today they are mostly used to collect data and show ads. And egregious browser like chrome has no incentive to solve this problem.
I did, but i personally don't care that everyone knows i'm using a tor browser. TBB is like a digital black block [0]: it is known i'm in there but nobody knows who i am in that crowd.
Tor's techniques also make it a monoculture. The smallest fuck up that makes you just a little bit more identifiable normally, makes you stick out like a sore thumb among TBB users.
So how crippled does regular web browsing become using Tor safest mode?
I'm tempted to give it a whirl for a week.
Root my phone, flash something secure, leave VPN always on, and limit web browsing to Tor to get a feel for how bad or good it is.
The self inflicted contortions developers go through to justify the need to spy drive me crazy. Modern devices and bandwidth are more than sufficient to handle a vast majority of applications, but everything has to be cloud based rent-seeking-as-a-service.
> So how crippled does regular web browsing become using Tor safest mode?
In my experience, not really much. There's occasionally a few articles i can't read because they require JS just to display their blogpost but outside of HN planet, it's not that common (most people use Wordpress themes or other decent HTML/CSS templates).
The real problem is Cloudflare and other gatekeepers who claim to protect from bots and attacks, but are more likely to block honest people. If you know people using Cloudflare, please insist that they don't. If you really need DDOS protection because you're repeatedly been a victim, please use a decent network-level mitigation (as provided by professional hosts like OVH/Hetzner) not some shitty invasive DPI solution that will have 99% false positives.
An interesting aspect of Safest mode i enjoy is the web is "read-only" again with it. Well you can still POST stuff via forms, but it's an explicit opt-in operation. TBB's Safest mode is closer to reading a newspaper than the modern web could ever be.
As a nice bonus, the Safest mode is really resource-efficient. I can have hundreds (thousands?) of tabs open for days without leaking memory, and CPU is only used to draw stuff (no tab mining coins on my behalf). I don't know a single browser with JS enabled who can keep many tabs open without rendering my machine utterly useless due to overusing CPU/RAM. Hell, i don't know a single browser with JS who can prevent a single tab from using all of my resources. TBB's Safest mode is really the only modern way i know to browse the web on low-resource hardware (lighter webbrowsers exist, but they usually don't implement modern CSS3 features).
EDIT: I should mention that the only useful service i can't use with Safest mode is Gitlab. Because Gitlab still does client-side rendering for some reason?!
I think the biggest problem of surfing the web via Tor end nodes will be the Cloudflare captcha. As much as I like Cloudflare, their captcha makes the open web pretty much unusable through Tor. At least last time I tried.
We need to boycott Cloudflare and others like them. They are pretending to protect websites, but in fact they create a walled garden where they decide who gets in.
People who use privacy tooling are left out, people from poorer countries are left out (due to bad IP range reputation), and legit bots scraping websites are left out.
If you need DDOS protection, use network-level mitigations from your host and basic rate limiting. If you need to protect your admin area from bruteforce and known vulns, restrict it to localhost queries and use SSH tunneling with public-key auth. If you need geo-replication, think again, you probably don't: make your pages lighter (why JS? why custom fonts?) and reduce the number of queries at all costs (the biggest slowing factor on high-latency links).
You don't need Cloudflare, even for a popular international website. Designing your website properly will make it more user-friendly and faster to load. From anywhere in the world, it should be fully rendered before any similar Cloudflare-powered page could load the JS spyware blocking access to the content.
I can't tell if you're trying to say unrooted phones with stock carrier roms are somehow understood to be secure, or if rooting is mutually incompatible with security, or something else. Want to expound?
Rooting your phone means you obtain root access to the device, bypassing carrier restrictions. It does not mean you run it as root user day to day. That would indeed be insecure.
Rooting is not incompatible with security. Trusting carrier distributed software on a locked down device is far less secure than using a custom install of something like Calyx or GrapheneOS.
In my view, trusting Google, Apple, Verizon, t-mobile, or at&t is incompatible with security.
The idea that people having administrative access to their own devices is inherently insecure is vicious anti-consumer nonsense.
What's your threat model? Is it more secure that you as a user can execute root code? Or that your phone manufacturer can without asking for your permission?
Modern smartphones are basically spyware distros. I would argue it's far more secure to run a decent distro (Lineage/Replicant) with root, than it is to run any SamWeiMi crapware without root. Oh yes, the manufacturer's crapware has system privileges whether you ask for it or not, and so does Google Play Services, Google's universal backdoor for Android.
On paper, no root is better. In practice, even on a crap distro, rooting it will enable you to remove most crapware to reduce attack surface.
Also related: if you're concerned about security, you should probably only use applications from F-Droid.org repos. Google Play Store (and others) are just full of spyware! See also the Exodus Privacy project tracking trackers via static analysis of APKs.
Even with a custom ROM that includes no google anything whatsoever, you still should not have root... that's what I mean. Just like how you should always use Secure Boot (but LineageOS requires you leave it off).
That's a fair interpretation! I'm not familiar with tor internals, but i assumed after removing the last encryption layer, the exit node would "expose" raw TCP trafic from the original requester. Otherwise, how does it work?
TCP is a bidirectional stream so ignoring some of the edge cases you can just proxy it across any stream transport. in the case of TOR it sets up a bidirectional stream across its network and then bytes come into the exit node over the TOR stream and then the exit node just writes them out using the normal operating system write() method. bytes then come from the normal operating system read() method on the exit node and the TOR exit node just sends them back over the TOR stream. on the client node setting up the stream over the TOR network and receiving/sending is exposed as a SOCKS proxy but i guess you could also have something fancy which intercepted traffic transparently (https://gitlab.torproject.org/legacy/trac/-/wikis/doc/Transp...). i haven't looked at the TOR project for a while but it looks like they are heavily pushing the TOR browser which I guess means the user is not exposed to any proxy setup and can't accidentally misconfigure things in a way that would break their anonymity.
It's probably worth a bug report to the TBB team so that they can investigate why fingerprints would be different. Having a unique fingerprint across instances is the very goal of TBB.
That's because the Tor Browser, contrary to urban legend, is not just a browser that routes trafic through the tor network, but a firefox reworked (most of which is being upstreamed) explicitly to combat fingerprinting (some kind of digital black block if you will).
Overall that's an amazing compilation of modern web fingerprinting vectors. I'm just a little disappointed they left screen size (and maybe other obvious avenues) out of the demo. That would be a really cool way to demonstrate how Tor Browser's window cutting (or whatever that's called) works [0].
I read somewhere (but i can't vet the claims) there's enough variance on TCP implementations across systems to be able to distinguish, and i'm curious how the Tor Browser deals (or doesn't) with that. Could be an idea for v2 demo.
Thanks for the cool demo! I definitely enjoyed the script-like UX of the page. I wish more sites did stuff like that instead of defaulting to JS for every little animation or dynamic content.
[0] Tor Browser enforces actual width and height of the web rendering part of the window to be multiples of certain numbers, so that websites can provide experience for smaller/larger screens while retaining limited fingerprinting (eg. your fingerprint will not be affected by a user-configured or desktop-dependent window border, scroll bar width, or anything such)