Cookie conundrum
in [UK Mac]
|
From: chris on 3 Feb 2010 04:12 On 02/02/10 15:45, Pd wrote: > James Taylor<usenet(a)oakseed.demon.co.uk.invalid> wrote: > >> <http://panopticlick.eff.org/about.php> >> >> Go to the homepage and click the "Test Me" button. It would be interesting >> to see what kind of results Apple users get. I get a uniqueness rating of >> one in 256,032, but then I'm using Linux and have my browser fairly >> heavily locked down, which is unusual. > > I'm not sure you've represented that right. I've just done it on Safari, > and it says "Your browser fingerprint appears to be unique among the > 513,301 tested so far." Which means a website can identify me pretty > accurately. It would be interesting to try again from a different > internet connection, and see if it says I'm one of two in half a > million, so probably the same one who logged in earlier. That's a good point. What does that value actually mean? Is a large number good or bad? Does it mean I am similar to the 500,000 or different. 'Uniqueness' is such a horrible word.
From: Woody on 3 Feb 2010 04:19 chris <ithinkiam(a)gmail.com> wrote: > On 02/02/10 15:45, Pd wrote: > > James Taylor<usenet(a)oakseed.demon.co.uk.invalid> wrote: > > > >> <http://panopticlick.eff.org/about.php> > >> > >> Go to the homepage and click the "Test Me" button. It would be interesting > >> to see what kind of results Apple users get. I get a uniqueness rating of > >> one in 256,032, but then I'm using Linux and have my browser fairly > >> heavily locked down, which is unusual. > > > > I'm not sure you've represented that right. I've just done it on Safari, > > and it says "Your browser fingerprint appears to be unique among the > > 513,301 tested so far." Which means a website can identify me pretty > > accurately. It would be interesting to try again from a different > > internet connection, and see if it says I'm one of two in half a > > million, so probably the same one who logged in earlier. > > That's a good point. What does that value actually mean? Is a large > number good or bad? Does it mean I am similar to the 500,000 or different. > > 'Uniqueness' is such a horrible word. It means that in all the browsers they have tested so far you can be individualy identified. The larger the number the worse it is (but the number only goes to 500,000, as that is how many records there are). If you were (say) 1 in 3, that means you would be virtually impossible to say who you were, unless there were only 2 other people. -- Woody
From: James Taylor on 3 Feb 2010 04:35 Rowland McDonnell wrote: > James Taylor wrote: > >> I still worry about a uniqueness of 1 in 256000 though because if, for >> example, I carried my laptop around while travelling through Burma or >> China in the belief that I'm safer checking my email that way than by >> using Internet cafe machines, then I'm probably sufficiently unique to >> be trackable as I move around the country. > > Solution: set up a VM running an absolutely bog standard installation > with no extras at all - except for that which will turn off Javascript. > then test it against <http://panopticlick.eff.org/> and fiddle until > you've found a set of common signatures. > > Then set up multiple VMs, each with a user account that's `plain'. Not a bad idea. I already have a VM setup on my "work" system, so I could just use that. > But I'd assume that I were trackable if I were using the Web in China or > the UK or anywhere else that the government pries excessively into > personal privacy - unless I was using correctly set-up special privacy > software, such as TOR. > > <http://www.torproject.org/> Oh no, you'd be crazy to use Tor in such countries. They will know all the IP addresses of Tor nodes and have automatic detection systems flagging up whenever anyone uses them. Doing so would be broadcasting loudly that you were up to no good. People often misunderstand the purpose and limitations of Tor. All it does is mask the user's true IP address so the operator of a server cannot see where the user came from. It does this in such a way that even an omniscient observer (a government, NSA, etc) able to watch all Tor activity would not be able to reliably distinguish that user from any of the other users of the Tor network. However, it cannot hide the fact that a user is using Tor. Also, while Tor uses encryption within the Tor system, traffic must eventually arrive at the final node where it is fully decrypted and sent out in the clear to the destination. The user must therefore trust the final node not to be sniffing or altering the traffic as it passes. Given that Tor is necessarily slow and introduces considerable delay and jitter, the kind of traffic being carried over the Tor network is mainly that which people have a reason to hide, and thus exactly the kind of traffic that governments and law enforcement agencies have good reason to be monitoring in expectation of rich pickings. Even if the stated operator of a final Tor node is trustworthy (and not just a front for another NSA operated node) you nevertheless can bet that governments have invested a good portion of their budget installing remote sniffing and traffic injection devices upstream from all Tor nodes in existence. They'd be very stupid not to. Not only does this allow them to capture sensitive data that may identify users, but it also allows them to monkey around with the traffic as it passes through in order to cause the user at the other end to reveal himself. There are very few ways you can use Tor without being susceptible to being monitored, identified, and even exploited by a silent spyware injection. Those who use Tor are putting themselves at far greater risk than those who don't unless they have the skill to use it carefully enough, eg. by using an ssh tunnel through to an endpoint server that isn't being monitored, but this assumes the NSA can't crack ssh (a very shaky assumption) and that they wouldn't just put a monitor on the endpoint, and it also means the user's IP is traceable to the endpoint thus undermining one aspect of what Tor was being used for in the first place. It's a no win situation. > Don't worry TOO much about the Burmese authorities - *they* don't have > the sophistication available to the UK or Chinese governments, I think that's naive. All oppressive states have a strong motive to spend a big portion of their resources on the appropriate monitoring equipment. There are clever people in every nation, but the Burmese will have what they need whether they develop it themselves or buy it in. > But I'd assume that I'd have to use TOR for any sort of privacy; Anonymity in the crowd is your best protection, not skulking around in the shadows of Tor which as being so closely scrutinised. > I'd also assume (now) that using a given Web browser in a given > configuration is pretty much uniquely identifiable in an intelligence > rather than evidence sense. Correct. > So if one is going to use TOR, one must use a separate user account with > everything set up differently so that at least they can't connect your > TOR browsing with `Who you are in real life'. Good idea, but it's not sufficient given the tricks that can be used to reveal your real IP. Add to that the technique of browser fingerprinting and you are easily identifiable. -- James Taylor
From: Woody on 3 Feb 2010 05:19 James Taylor <usenet(a)oakseed.demon.co.uk.invalid> wrote: > Elliott Roper wrote: > > > I think your last observation may not be quite right. I was completely > > unique in their whole population and my machine is relatively wide > > open. They were able to score me uniquely on plugins and again on > > fonts. > > If I had Javascript off, they would not have been able to see the fonts. > > Ah, so the fact that I had JavaScript off was to my benefit. Good. > > I still worry about a uniqueness of 1 in 256000 though because if, for > example, I carried my laptop around while travelling through Burma or > China in the belief that I'm safer checking my email that way than by > using Internet cafe machines, then I'm probably sufficiently unique to > be trackable as I move around the country. If I were a journalist > working to help political dissidents tell the world about atrocities > committed by the governments of such oppressive regimes then I'd have > good reason to be very concerned indeed, as the authorities would be > able to pinpoint my geographical position every time I accessed the net, > at least to the nearest Internet cafe, hotel, or wi-fi hotspot. Uniqueness itself is not a major problem, it is identifiable uniqueness that is the problem. It would be quite a good idea to make an applescript or something that just changed your browser ID string slightly and then fired up the browser everytime you wanted it. you would still be unique, but you would be a different unique every time. -- Woody
From: Phil Taylor on 3 Feb 2010 05:54
In article <1jdc1kv.1gk5q3a1kzvxp4N%usenet(a)alienrat.co.uk>, Woody <usenet(a)alienrat.co.uk> wrote: > James Taylor <usenet(a)oakseed.demon.co.uk.invalid> wrote: > > > Elliott Roper wrote: > > > > > I think your last observation may not be quite right. I was completely > > > unique in their whole population and my machine is relatively wide > > > open. They were able to score me uniquely on plugins and again on > > > fonts. > > > If I had Javascript off, they would not have been able to see the fonts. > > > > Ah, so the fact that I had JavaScript off was to my benefit. Good. > > > > I still worry about a uniqueness of 1 in 256000 though because if, for > > example, I carried my laptop around while travelling through Burma or > > China in the belief that I'm safer checking my email that way than by > > using Internet cafe machines, then I'm probably sufficiently unique to > > be trackable as I move around the country. If I were a journalist > > working to help political dissidents tell the world about atrocities > > committed by the governments of such oppressive regimes then I'd have > > good reason to be very concerned indeed, as the authorities would be > > able to pinpoint my geographical position every time I accessed the net, > > at least to the nearest Internet cafe, hotel, or wi-fi hotspot. > > Uniqueness itself is not a major problem, it is identifiable uniqueness > that is the problem. It would be quite a good idea to make an > applescript or something that just changed your browser ID string > slightly and then fired up the browser everytime you wanted it. you > would still be unique, but you would be a different unique every time. If you were the author of the browser, you could include an option to randomise not only the browser ID, but the information returned whenever the list of plugins, fonts etc. is requested. That would make the browser completely untrackable. I wonder if it's worth suggesting that to Alexander Clauss (author of iCab)? On the subject of Flash cookies, does anybody know where they are stored and how they can be inspected or deleted? Phil Taylor |