7 November 2011

Is Tor Anonymity Reduced by Cookies

From: Andrew Lewman <andrew[at]torproject.org>
To: tor-talk[at]lists.torproject.org
Date: Sun, 6 Nov 2011 21:32:33 -0500
Subject: Re: [tor-talk] New Browser Bundle

On Sunday, November 06, 2011 15:15:21 Joe Btfsplk wrote:

> I can't imagine cookies or Javascript being enabled globally.  I won't
> leave those default settings.   Cookies from "regular old web sites"
> aren't necessarily the benign "little files a web site places on your
> computer to enhance the use of our site," that they used to be.  Maybe
> need to read up on what "little old cookies" from avg sites can do now.
> Having them enabled globally - in Tor or regular Firefox - doesn't seem
> like a good idea.  Nor does having Javascript globally enabled.

I'd like to see someone do research that proves or disproves this fear that javascript and cookies everywhere is hazardous to the anonymity of a tor user. I don't know a better setting for noscript. I know what I use for settings when I use the default TBB setup. 

If you use collusion with TBB, you'll see the various connections made to the current browsing session. http://collusion.toolness.org/. I frequently hit 'new identity' to wipe the cache/cookies.

In my world, I'd replace noscript with requestpolicy. If you never request the 3rd party sites, then you cut out lots of risks/cruft, in theory. This is the core idea behind requestpolicy.  Unfortunately, this breaks lots of websites and would freak out most tor users. However, this is another fine study to undertake.

Intuitively it sounds bad, yes.  However, I'd like to see baseline research and then settings changes that are proven to improve anonymity for the user. Of course, 'improve anonymity' implies some sort of measurement, which ties into

https://blog.torproject.org/blog/research-problem-measuring-safety-tor-network

--

Andrew

pgp 0x74ED336B

_______________________________________________

tor-talk mailing list
tor-talk[at]lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Date: Mon, 07 Nov 2011 10:08:57 +0000
From: tor[at]lists.grepular.com
To: tor-talk[at]lists.torproject.org
Subject: Re: [tor-talk] New Browser Bundle

On 07/11/11 02:32, Andrew Lewman wrote:

> I'd like to see someone do research that proves or disproves this fear that
> javascript and cookies everywhere is hazardous to the anonymity of a tor user.

I don't think any research is required to know that "third party" cookies at least, are used to track users across sites. And that tracking Tor users across sites is very likely to reduce their anonymity.

If you don't want to disable cookies altogether, I'd at least recommend disabling third party ones. If you think that will affect the user experience badly, it's worth noting that Apple disables third party cookies by default in Safari, so it can't be all that bad... I've not personally come across any sites where it has caused problems for me, but I will admit that such sites must exist.

> In my world, I'd replace noscript with requestpolicy. If you never request the
> 3rd party sites, then you cut out lots of risks/cruft, in theory. This is the
> core idea behind requestpolicy.  Unfortunately, this breaks lots of websites
> and would freak out most tor users. However, this is another fine study to
> undertake.

I use both. RequestPolicy is definitely much more difficult to maintain, but makes your browsing experience so much safer. I don't think the average user is going to be happy with RequestPolicy in its current form. FYI, you'll find my name on https://www.requestpolicy.com/about

--

Mike Cardwell https://grepular.com/  https://twitter.com/mickeyc
Professional  http://cardwellit.com/ http://linkedin.com/in/mikecardwell
PGP.mit.edu   0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F

[] signature26.asc

_______________________________________________

tor-talk mailing list
tor-talk[at]lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk