Hi Rohit,
Please check the ticket #11949 and the comment by Georg: https://trac.torproject.org/projects/tor/ticket/11949#comment:1
TL;DR research on the advantages of randomization over the current approach (making everyone look like same) may be useful before starting with the actual implementation.
Also, please check this thread on the limitations of JS hooks: https://lists.torproject.org/pipermail/tbb-dev/2014-June/000073.html
You can fool some fingerprinters by spoofing browser properties but more advanced scripts can easily uncover the real browser/device attributes by checking specific functionality [1] or using "side-channels" [2].
[1] see, "Evolution of functionality" subsection on https://seclab.cs.ucsb.edu/media/uploads/papers/sp2013_cookieless.pdf#page=1...
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=418986, see, esp. Camillo's test vectors.
Gunes
On 02/12/2015 06:12 PM, l.m wrote:
Hi,
For anonymous scraping it could certainly be useful. This poses a problem as far as making Tor Project look as if it supports autonomous anonymous scraping of web data. Ultimately this impression could lead to even more blocking of Tor exits. Another problem with the idea of a randomized fingerprint is that it breaks useability. It might be great for scraping but web sites rely on knowing some of those parameters for proper display. Finally it's worth mentioning that the goal of TBB fingerprinting is to reduce entropy within TBB's user base. A random fingerprint violates this constraint.
I'm not commenting on gsoc eligibility
+1 --just that it's an edge case
which will lead to blocking of Tor's exits. If more exit get blocked then you cannot scrape.
--leeroy
tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev