Re: [tor-talk] panopticlick data
On 10/2/2013 12:08 AM, Andreas Krey wrote: On Tue, 01 Oct 2013 13:43:10 +, Joe Btfsplk wrote: ... I believe in same TBB version (maybe the same in many versions) they spoof the useragent & time zone, but wouldn't differences in screen sizes & color bit ALONE, among a few users on one entry / exit combination, at a given moment be enough to fingerprint one user? Fingerprinting isn't about identifying the same session (there are cookies for that), but about recognizing you on your next visit when you come from a different IP/exit (or even the same) I can't say if that is / isn't true. If it is, goes back to my question / pondering, if regularly changing some browser trait(s) (maybe w/ an extension, Tor Button) would make it much more difficult to conclusively say, "This is the same person / browser." Seems unlikely that all TBB users having the exact same browser characteristics is going to happen. It's good in theory, but may be unrealistic. Perhaps approaching the issue from a more realistic standpoint is worth looking into? Chaos is easier to achieve than perfection. Wondering: in practice, which would be easier to achieve and / or be more successful at preventing fingerprinting: Trying to make all TBB users look identical or constantly changing (spoofing) some browser characteristics (ones that DON'T break functionality), so that every TBB browser is "constantly" changing it's profile? Perhaps call it SSTBB - shape shifter TBB. There may be drawbacks to *regularly* changing ANY characteristics used for fingerprinting. Just a thought. Definitely problems w/ the current method of trying to make everyone look identical. Screen/Window size spoofing is pointless as there are many ways of finding out the actual window size. And colors are pretty much always 24bit anyway. Does the issue of other ways to find the actual screen size value, apply to other browser traits as well (some / many)? If so, possibly ONLY turning of java script would prevent much of that. Unfortunately, that breaks at least part of many sites. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] panopticlick data
On Tue, 01 Oct 2013 13:43:10 +, Joe Btfsplk wrote: ... > I believe in same TBB version (maybe the same in many versions) they > spoof the useragent & time zone, but wouldn't differences in screen > sizes & color bit ALONE, among a few users on one entry / exit > combination, at a given moment be enough to fingerprint one user? Fingerprinting isn't about identifying the same session (there are cookies for that), but about recognizing you on your next visit when you come from a different IP/exit (or even the same) Screen/Window size spoofing is pointless as there are many ways of finding out the actual window size. And colors are pretty much always 24bit anyway. Andreas -- "Totally trivial. Famous last words." From: Linus Torvalds Date: Fri, 22 Jan 2010 07:29:21 -0800 -- tor-talk mailing list - tor-talk@lists.torproject.org To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] panopticlick data
On 10/1/2013 12:06 PM, Nicolas Vigier wrote: On Tue, 01 Oct 2013, Joe Btfsplk wrote: Not sure I understand the question in this context. Without cookies, I don't expect them to identify repeat visitors. I read their full paper on how they use the data collected https://panopticlick.eff.org/browser-uniqueness.pdf Me visiting 2 - 4 more times, or even the other site visitors - *in the same 2 - 4 min. span*, wouldn't (actually) affect the statistics & lower their reported uniqueness estimate by factors of 2, 3 or more. Repeating the test 4 times, almost immediately (clearing cache between), out of an existing data base of millions of other site visitors, wouldn't lower my uniqueness from 1 in 1.7 million, then to 1 in 700,000, to 1 in 500,000. 1st visit: 3 444 000 2nd visit: 3 444 000 / 2 = 1 722 000 3rd visit: 3 444 000 / 3 = 1 148 000 4th visit: 3 444 000 / 4 = 861 000 5th visit: 3 444 000 / 5 = 688 800 6th visit: 3 444 000 / 6 = 574 000 etc ... Thanks. I'm not a statistics major, so you may have to explain, but are you saying that the 1st time I visit w/ a given set of browser characteristics, and they've only seen 1:3,444,000 browsers w/ exactly the same traits, then on my 2nd visit, they've now seen 2 identical browsers in 3,444,001 = 1: 1,722,000.5? All that seems to mean is, they've not seen many browsers like mine (poor distribution), IF... it started out as 1 in 3.44 mil, or anything close - as mine would be a VERY common setup. All the individual characteristics tested were very common, per their results. Most are < 1:10 & none > 1:100, except the screen size (which seems incorrect). Seems unlikely my 1920 width monitor only has 1664 "usable" browser pane width (what they show). When they show *1920* width for TBB, but the 2 browser panes are the same in width. Only thing taking up horizontal space on either browser is the vertical scroll bar, which are pretty much identical. *NOTE:* The *"bits of identifying information"* for individual browser characteristics (useragent, cookies enabled, etc.) & uniqueness (1 in X have this) of the INDIVIDUAL characteristics do NOT change, as you run the test repeatedly. Those values must be calculated from a set data base & don't seem to be affected by your current visit. Assuming trackers had a large enough sample space to have a high confidence level, for fingerprinting purposes, would it matter if only 1 in 10,953, or 1 in 10,953,000 browsers were like yours? As long as they could identify A browser w/ the same uniqueness (EXACT same characteristics - entering & exiting). Even w/o Flash or Java enabled & revealing system fonts, etc. Only way I see that's not true is if 100's of users w/ EXACT same browser characteristics (right down to same screen characteristics), used the same entry / exit relays at the SAME time. That's unlikely, unless TBB starts spoofing screen size, the same for everyone. I believe in same TBB version (maybe the same in many versions) they spoof the useragent & time zone, but wouldn't differences in screen sizes & color bit ALONE, among a few users on one entry / exit combination, at a given moment be enough to fingerprint one user? -- tor-talk mailing list - tor-talk@lists.torproject.org To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] panopticlick data
On Tue, 01 Oct 2013, Joe Btfsplk wrote: > On 10/1/2013 12:48 AM, Andreas Krey wrote: > >On Mon, 30 Sep 2013 21:08:58 +, Joe Btfsplk wrote: > >... > >>No cookies are set, so that doesn't affect outcome. In fact, the "bits > >>of identifying information" shown in results chart largely remain > >>identical (except screen size sometimes changes), but their estimate of > >>"One in X browsers have the same fingerprint as yours," keeps going > >>down dramatically - each time I re run the test. > >How do you expect them to identify repeat visitors as opposed to > >counting them as separate incarnations, thus lowering the uniqueness? > > > Not sure I understand the question in this context. Without > cookies, I don't expect them to identify repeat visitors. I read > their full paper on how they use the data collected > https://panopticlick.eff.org/browser-uniqueness.pdf > > Me visiting 2 - 4 more times, or even the other site visitors - *in > the same 2 - 4 min. span*, wouldn't (actually) affect the statistics > & lower their reported uniqueness estimate by factors of 2, 3 or > more. > > Repeating the test 4 times, almost immediately (clearing cache > between), out of an existing data base of millions of other site > visitors, wouldn't lower my uniqueness from 1 in 1.7 million, then > to 1 in 700,000, to 1 in 500,000. 1st visit: 3 444 000 2nd visit: 3 444 000 / 2 = 1 722 000 3rd visit: 3 444 000 / 3 = 1 148 000 4th visit: 3 444 000 / 4 = 861 000 5th visit: 3 444 000 / 5 = 688 800 6th visit: 3 444 000 / 6 = 574 000 etc ... -- tor-talk mailing list - tor-talk@lists.torproject.org To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] panopticlick data
On 10/1/2013 12:48 AM, Andreas Krey wrote: On Mon, 30 Sep 2013 21:08:58 +, Joe Btfsplk wrote: ... No cookies are set, so that doesn't affect outcome. In fact, the "bits of identifying information" shown in results chart largely remain identical (except screen size sometimes changes), but their estimate of "One in X browsers have the same fingerprint as yours," keeps going down dramatically - each time I re run the test. How do you expect them to identify repeat visitors as opposed to counting them as separate incarnations, thus lowering the uniqueness? Not sure I understand the question in this context. Without cookies, I don't expect them to identify repeat visitors. I read their full paper on how they use the data collected https://panopticlick.eff.org/browser-uniqueness.pdf Me visiting 2 - 4 more times, or even the other site visitors - *in the same 2 - 4 min. span*, wouldn't (actually) affect the statistics & lower their reported uniqueness estimate by factors of 2, 3 or more. Repeating the test 4 times, almost immediately (clearing cache between), out of an existing data base of millions of other site visitors, wouldn't lower my uniqueness from 1 in 1.7 million, then to 1 in 700,000, to 1 in 500,000. I checked regular Fx again today & my uniqueness just keeps dropping w/ each test. If I'd kept going, it may have gotten to, "One in 100 browsers have the same fingerprint." Nothing changed about my browser between "tests," so those huge decreases in my uniqueness would be statistically impossible, unless they had MANY millions of other visitors in the same few minutes I was testing - which they didn't. Just now (10/1/2013), I checked both TBB 2.3.25-12 (& Firefox 23 - showing it's true useragent info). Panopticlick showed TBB was over 3 times LESS unique than regular Fx. TBB: 1 in 689,000 vs Fx 23: 1 in 203,000, at least in one test. That may not be statistically meaningful, but it's a concern. Most of the difference came from TBB reported screen size (which showed the correct screen width of my monitor), where Panopticlick shows regular Fx 23 screen width as 256 px LESS than TBB. Not sure how that's possible for width. The bigger point is, uniqueness values for either browser keep dropping *dramatically*, repeating the test a few times in just 2 - 3 minutes, when browser characteristics didn't change. Making the value of their estimates questionable. I may contact them to see if they have an explanation for this. Possible solution to make fingerprinting more difficult: An extension or TBB design that regularly or randomly changes / spoofs values for some of the data used to "calculate" uniqueness. There are extensions that change some (like useragent), but don't change it repeatedly. To avoid tracking Tor users from entry to exit, some browser characteristics would have to change rapidly & often. I have no idea if the current consensus is that trackers could identify a user from ONE request or a SINGLE entry / exit in the Tor network (making it hard, but not impossible to intentionally change browser characteristics during that short time). Or... if they'd need to observe several entries / exits (or several requests & receipts involving same relays) to conclude with high confidence that it is the same browser. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] panopticlick data
On Mon, 30 Sep 2013 21:08:58 +, Joe Btfsplk wrote: ... > No cookies are set, so that doesn't affect outcome. In fact, the "bits > of identifying information" shown in results chart largely remain > identical (except screen size sometimes changes), but their estimate of > "One in X browsers have the same fingerprint as yours," keeps going > down dramatically - each time I re run the test. How do you expect them to identify repeat visitors as opposed to counting them as separate incarnations, thus lowering the uniqueness? Andreas -- "Totally trivial. Famous last words." From: Linus Torvalds Date: Fri, 22 Jan 2010 07:29:21 -0800 -- tor-talk mailing list - tor-talk@lists.torproject.org To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] panopticlick data
On Mon, 30 Sep 2013 18:14:25 +, Joe Btfsplk wrote: ... > I don't know where / how it gets the screen size, but mine definitely > isn't 947 wide. It's actually a very common size. Tor browser seems to use the windows size as the display size. > I assume the color depth is bit value. Panopticlick shows 24 (bit?), > but there's not even a CHOICE of 24 bit in my display settings, for my > monitor / graphics card combination. Maybe I misunderstand how > Panopticlick arrives at that value. It's (probably) what the browser reports, and also quite probably what your video card uses - even if its driver says 32bit only 24 of those are actually used for output, leaving one byte per pixel wasted. Andreas -- "Totally trivial. Famous last words." From: Linus Torvalds Date: Fri, 22 Jan 2010 07:29:21 -0800 -- tor-talk mailing list - tor-talk@lists.torproject.org To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] panopticlick data
On 9/30/2013 6:14 PM, Joe Btfsplk wrote: Info given on panopticlick.eff.org is a bit confusing in that some of it seems incorrect. If that makes a browser "more common," I guess it's a good thing. But some of the info it shows as incorrect is very "uncommon." That doesn't mean someone trying to finger print a browser would get the same info that Panopticlick shows - or does it? It showed an incorrect screen size and "color depth." Claiming in 1 in 430370 browsers (systems?) have that specific characteristic - fairly uncommon. Except monitor info is incorrect. All that resulted in a claim that "only *one in 1,721,479 browsers have the same fingerprint*." https://panopticlick.eff.org I don't know where / how it gets the screen size, but mine definitely isn't 947 wide. It's actually a very common size. I assume the color depth is bit value. Panopticlick shows 24 (bit?), but there's not even a CHOICE of 24 bit in my display settings, for my monitor / graphics card combination. Maybe I misunderstand how Panopticlick arrives at that value. It surprised me that it estimated 1 in 76 browsers had the USERAGENT data given by TBB, of Windows 7 w/ Fx 17. Other than possibly mostly TBB users going to Panopticlick (skewing the data) to check browser uniqueness, I doubt 1 in every 76 users in the U.S. or world wide, truly have Fx 17 in Windows 7. Maybe I'm wrong. I just wondered if others have checked their regular Firefox & TBB uniqueness on eff's site, to see if the data shown seems accurate for their system? There's something quite odd about the EFF / Panopticlick browser fingerprinting site. All (I) have to do to drastically lower the uniqueness of my browser, is revisit the site several time, clearing cache between visits. No cookies are set, so that doesn't affect outcome. In fact, the "bits of identifying information" shown in results chart largely remain identical (except screen size sometimes changes), but their estimate of "One in X browsers have the same fingerprint as yours," keeps going down dramatically - each time I re run the test. There's something wrong w/ their "result analysis." Same browser, showing same bits of identifying data, can't go from uniqueness of 1 in 3 mil, to 1 in 1.7 mil, to 1 in 700 K, to 1 in 500 K, when nothing's changed in the parameters that it is recording to arrive at the analysis. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk