(Moving this discussion to anti-censorship-team@. See below for context.)
On Wed, Apr 29, 2020 at 11:35:48PM +0000, soncyq47 wrote:
---MY EMAIL HAS 3 PARTS SO PLEASE READ IT ALL---
I believe it's feasible (albeit not trivial) for an adversary to modify these fingerprints, e.g., by making Firefox believe that it runs under a different screen resolution, has a variety of apps installed, etc.
/1./ It's obviously possible to spoof a few things. The point I was making is that there are like 20 or 50, if not more aspects of the fingerprint, and we can measure it all, so it's practically impossible to spoof them all. We could just then group similar fingerprints together.
I think I'm missing something here. Doesn't it suffice for an adversary to tamper with a single feature to create a new browser fingerprint, and thus obtain different bridges? I suppose it would depend on how the server derives its fingerprints.
It's not a bad idea but I'm not convinced that the implementation effort would be worth the outcome.
Another issue is that for this to work, we would have to store the fingerprint of requesting users and we would rather not store unique, user-specific identifiers.
This problem might be slightly mitigated with federation. But I totally agree with the privacy issue you're saying.
/2./ I have a theory for why paid VPNs get blocked less, maybe the operators of the GFW can't get access to an American credit card, so the VPN doesn't have to worry about IP distribution, just the encryption algorithm.
I don't have any thoughts on this.
/3./ What about SMS distribution. I know there are tricks to get lots of numbers, but what I've seen is usually limited to one country, so we could just separate area codes into different distribution buckets.
Again, not necessarily a bad idea but expensive to build. Our resources are very limited and we need to be rather confident that something works out before investing a substantial amount of development time.
Please reply about what you think of my 3 points. Cheers
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Wednesday, April 29, 2020 4:16 PM, Philipp WInter phw@nymity.ch wrote:
On Tue, Apr 28, 2020 at 09:52:29PM +0000, soncyq47 wrote:
Sorry I don't understand Selenium very well, but in terms of automating, each fingerprint only gets one bridge, so if you keep automatically asking you just keep getting the same address over and over.
I believe it's feasible (albeit not trivial) for an adversary to modify these fingerprints, e.g., by making Firefox believe that it runs under a different screen resolution, has a variety of apps installed, etc.
Another issue is that for this to work, we would have to store the fingerprint of requesting users and we would rather not store unique, user-specific identifiers.
Cheers, Philipp