[Requesting Help] Battle against Fingerprinting - How to get good results on fingerprinting tests with commons browsers?

I care of global anonymity and fingerprinting, as they pair with each others anyway (if i didn’t misundersting anything along the way). I’ve start to make a lab and add elements one by one while testing them. Actually i’ve just a router and my pi-hole using DNSCrypt protocol and no logs server + relays. I’m used to VM machines so it’s not my next step. I really look forward to integrate a VPN with no logs and efficient as it can be. Tor Browser seems to be a well coded browser so that’s why i was thinking of using it as browser and set it up with a VPN without using TOR network.

As the video shown upward linked by @a553d43c-f7fa-483a-8 , there is many ways to get caught with TOR browser. And be stuck with this low speed forever seems to be an issue for me, because when you are in, you can’t get out. Also TOR network is really known by know and there is also the US government problem : https://www.whoishostingthis.com/blog/2014/11/17/who-funded-tor/

For me it seems like a big honey pot. Peoples asking for privacy are redirected to TOR and US Government is gathering their datas on their network. I speak with the informations i’ve collected here and there on the subject, but it always seems like it’s just a question of luck if you goes on the bad time at the wrong place.

Maybe am i wrong, i don’t have the chance to speak of it with TOR users everyday so it’s (sadly) just my own opinion.

Thank you again for your answers it’s helpful anyway.

Oh, I forgot to mention, there’s an option on uB O to block all javascript by defautl, there’s also an option to block media larger than 50kb and fonts. I guess it was probably that. Still, you need to activate JS in order for the test to work.

Well, I would dare to say that’s how it is, my questions were kind of rhetoric, the ways in which fingerprint is used by these websites is not enough to de-anonymize users. Stuff like keystroke, mouse and writing patterns on the other hand, sure are enough to pinpoint certain list of subjects.

Also read https://matt.traudt.xyz/p/mRikAa4h.html it is shorter than the video.

No.

So you was on FF with ghacks standard file + privacyio recommanded settings ? That’s it ? Are you avoiding the question ? Or do i need to be more specific ? If you are not comfortable with sharing on this, just tell it to me, i can understand, i will not bother you with this :slight_smile:

If it was rhetoric it would mean by a way or another that i should trust you on word at that time, because i didn’t read more than 2 serious studies and some papers on blogging website for this subject. I’ve references to read but it’s a lot of work so it will take time.

Oh sorry ! I was not speaking about going through Tor or exiting through Tor network by a VPN, just using Tor Browser as a browser and configuring it to use a VPN. I was not thinking about entering on Tor network. I’ve seen the video by the way, really understandable one. Thank you for the paper.

Ok, i guess (?)

its under whonix…I mean whonix is regularly updated so their browser must be too

What’s even that?

Be aware, SecBrowser is not a part of the Tor Project, it hasn’t been audited, the team behind is way smaller and therefore there’s no way to know if there are hidden vulnerabilities.

If you saw the video, and understood it correctly, you’ll see that all the people who were de-anonymized were because of their own fault. Some didn’t use a bridge, some forgot to use Tor once therefore their account was compromised, some linked their AFK identities with their illegal activities, etc.

And in this video, one of Tor project’s developer debunks a lot of myths, for example that because one state agency created Tor it shouldn’t be trusted. It is no longer maintained by that agency, it receives funding from state agencies relating to science, no by the NSA or CIA, the code is open source and it’s probably one of the most audited projects that exists, if there were some kind of backdoor everyone would know about it.
https://invidio.us/watch?v=Di7qAVidy1Y

You’re just plain wrong, if you want anonymity there’s nothing that can bring you that as Tor. Again, it’s open source, it’s probably the most audited project in existance, most of the data collected by Tor is through nodes and they collect very little, in fact is one of the topics of the video above; how hard it is for them to study their project because of that.

1 Like

No, TorBirdy is under the Tor project and it’s basically achieved EOL, and that’s just to mention one of their projects that has died, I think they have two instant messengers on the cemetery.

nah, i not get it. more info
Also i mean SecBrowser is same as tor browser except it’s not connecting to tor network so it have all tweaks that tor have so yeah its good alt

What I mean is, just because a project is under the wing of another which is big and well known does not mean that the child project is going to be kept up to date. My example was TorBirdy -which is an add-on to ThunderBird developed by The Tor Project to traffic your e-mails through Tor-, because even though TBB is always kept up to date, some of their other projects aren’t. In fact, a lot of their secondary ones have died with the years.
This is analogous to Whonix, which is a reputable OS and the development is updated regularly, but that doesn’t mean that their browser is.

1 Like

I didn’t speak of SecBrowser there.

Privacy and anonymity is not just a safe browser for me. It’s a mind state, a way of living. So it’s needed to see the global picture of how things works and consider that there is not a unique solution, but a solution for each people made by their choices. Every solutions as risks. That’s what i mean and what i’m trying to learn. Global thinking about privacy and anonymity.

Even if most of the case is due to human failure, it’s not at one hundred percent. In the video you see also DNS leak stuff, correlation attacks and for that you also need to have access to relays, so three capital agency can have access to it. If we have seen the same video.
Also in your answers you seems to say there is only one way to understand and see things, i’m not comfortable with that, it’s maybe just an impression, i didn’t mean to offense you.

Then explain me why TOR is more secured and safe then multiple VPN outside the 14 eyes countries with sources (even technical ones), please.

Correlation attacks on its own are not enough a lot of the times, they can just decrease the possible zone where the target lives keeping in mind the time of their communication, and from the two correlation attacks in the video one was captured because they were using the fucking internet connection where they were bomb threatening and not using a bridge (the ISP can see you are using Tor, but not which web sites you are visiting), and the other, Dread Pirate Roberts, committed a lot of stupids mistakes which basically made obvious the fact that he was the one behind the Silk Road; when interrogated by the FBI about the fake IDs he basically told them “You can buy that on the SR, but it wasn’t me”.
You don’t need relays for a correlation attack. A correlation attack is done by packet inspecting, analyzing when the victim uses internet to see in which timezone they live, and similar practices. State agencies can run relays, so what? They can’t choose to be the three nodes used by a user, and they don’t need to do this, they literally have a backup of every major service they can steal or ask information for surveillance purposes and even themselves use Tor.

In this case it is, there are no backdoors or known exploits to de-anonymize Tor users so far, there have been in the past, but that is normal for every project and that happened when TBB was on its infancy. I am not offended, I’m just a bit tired of hearing people thinking that Tor is not to be trusted basing their opinions on FUD.

Tor is a zero trust network, unlike VPNs. You don’t need to trust every single guard, middle or exit node and be friends with them to know your information is secure. Through every hop the information is encrypted and they can’t know where you came from and where you are going, or who you are.
Tor is decentralized, unlike VPNs. Every single node run by a VPN provider is owned by them -in the best scenario-, or rented to a 3rd party; whereas on Tor, on the other hand, it’s impossible for a single entity to posses all of the relays on the network, there may be some organizations which run more than one but you will never face the same level of centralization. Also, each node does not have contact with each other, or with their users.
Tor is almost untraceable, unlike VPNs. If you ever got caught doing some sort of illegal activities, whether or not this are considered a right in other places in the world, and you were using a VPN the government has to send a sub-poena to the provider and (in the best case scenario that their no log policy is true; there’s no way to verify this, and remember, “We kill people based on metadata”) in most cases they will have to comply and give them what they got. Since Tor nodes don’t connect with each other, and don’t know where the user came from, or where did they go, and all data and metadata is encrypted, cannot provide authorities with any kind of information, and again people who run relays live in a lot of places in the world, sub-poena becomes a lot harder since there are a lot of different jurisdictions if you would be trying to catch one person.

Read this brief article about how BoingBoing handle a sub-poena by authorities asking them for data on their exit node, now imagine how bad that would have gone if the owner of the hop would have been a VPN provider.

1 Like

Well thank you for your contribution, also i would like to know…

  • Is there any tool to create false ID to subscribe to any internet services ?
  • Is there any opensource and trustworthy service to protect your phone number for calls and text messages, with spoofing for example (in EU) ? ( or TOR-seemslike solution)
  • Also does exist a solution to gather delivered packages not from your personnal address ?

Regards

There’s https://www.fakenamegenerator.com/ but I don’t think you can use it to pay for your Netflix subscription for example, just to spoof information.

I don’t think so, messages and calls are received by antennae so they have a way to know who you are. Silence encrypts text messages but you would need the receiver to use it too and this still isn’t foolproof, you better use a private IM.

I doubt it, your best bet is to talk with the person at mail and tell them something like “I wrote my name wrong could I still get my package?”.

I know it exist non-free solutions like virtual numbers services but i don’t know which of those can be reliable. They are many of it. At least i really would like to give fake number to internet services and others. If i can hide my number with another one it coulb be an enhancement to my privacy. What do you mean by IM ?

Maybe i could try relays from shops for that.

Should i create an other post for those questions and make this one as resolve ? Even if using TOR Browser couldn’t match for me as it’s really really to slow for me, and i need to internet to work many times and not to mention issues with paypal so…

Yes, there are online services which provide a virtual number but the uses you can give to them are a bit limited; some companies will not accept them for example if you are trying to verify with them. A good rule is that if the service you are using requires a phone number your are probably better if not using it, 2FA with text messages is really insecure and most of the times it’s just an excuse to steal your number and sell it to ad companies. By IM I meant “Instant Messengers”.

https://crypton.sh/ This is the best solution out there that I could find, if you can afford it, obviously.

Maybe, I would try to buy as many things AFK if you can, if you live in a 1st world country I’m sure you will find a good variety of products in store.

Yes, probably, although buying stuff online without leaving a trace doesn’t have a 100% foolproof solution, I’m sure some other people have already asked about this on this forum. Were you using Tor on Safest mode? Because I’ve been using it lately and TBH it works really fast in Safer mode, and my internet bandwidth is of 100mbs which I presume is not a lot.

If you are using a service that already has your real identity on it I don’t see the point on using Tor…

1 Like

Thank you for Crypton seems nice !

Sure. And for many reasons i try to buy things locally, but sometimes the price is 50% or 75% more then on internet.

Okay i will take a look before creating a new post as usual then.
For TOR in Safest yeah, since for know i don’t know the differences and the real impact on privacy for those settings.

As i’ve said before i do things step by steps.
I look forward to false ID and bitcoin to enhance my privacy but if i really want to fully understand what i do it will need some work and some questions :slight_smile:
Maybe a paypal account with false informations can do the work for most of web retailers i think, i can still use. I can buy transcash credit cards locally or with bitcoin for example. No ?

Don¿t count on Bitcorn for privacy, it wasn’t designed like that, nor will add-on make it private.

If you want private transactions, use a dedicated privacy coin like Zcash, Monero or Zcoin

From Matt Traudt’s blog:

Disabling JavaScript / setting the security slider to its highest setting

This is unnecessary for the majority of adversary models and will make the web significantly less usable.

The only people who have had significant JavaScript exploits used against them in Tor Browser were pedophiles using Windows. This suggests to me (and security experts in general, AKA not people that read “tech news” and parrot everything they read) that these exploits are rare, expensive, and hard to replace. Thus they aren’t going to be used against random people because the risk of the exploit being discovered and fixed is too great.

Setting the security slider to its highest setting does remove JavaScript as a possible attack vector. So as long as you set it there consciously, are aware much of the web may break, I support your choice to disable it. I especially support it if you have legitimate concerns that JavaScript exploits may be used against you, not just dumb paranoia.

Move it to Safer, it will work much faster.

I say you should mark this discussion as solved and start new discussion if you have more questions, so people in the future can easily skim through this one in search of answers, and you will get more people involved and different voices.
But in brief, no, Bitcoin is not going to bring you anonymity. I would trust Monero, Zcash, Komodo or Pirate Chain, but you can’t buy as many things with them as with BTC.

1 Like

I tested fingerprint via Tor by visiting https://www.amiunique.org. And it recognized I’m using Linux. But shouldn’t all trackers see Tor as a Windows browser?

Suggestions have been made that TOR browser provides the best protection .

You can always connect via a VPN, and browse from inside a different virtual machine, using a different browser and changing OS’s every month.