ironic how this is posted below an article that says that testing websites are not reliable and that you should not read into the results unless you understand them
Turns out, he is not talking about the kind of people I fit in. I am using Tor for more than a decade at this point, and have been a very avid I2P torrent user as well since many years. If not the same, I compare pretty well in experience in this aspect.
He is talking about the kind of people who open Panopticon for fingerprint tests and misread the fractions and decimal numbers and information there when comparing, and then scream on reddit with misinterpreted posts aimed to get awards and upvotes at the cost of sanity of many people.
deviceinfo.me is not the kind of site and data used for demonstrations he is talking about. I have a fair amount of experience to make this claim.
To expand on the attacks that are mitigated, avoidance is a better measure than mitigation. Hence the reason why I say noJS is a better policy, the next best is turning on JS manually when needed. Keeping JS on all the time is a fool’s errand if they want to go beyond standard levels of privacy and anonymity. The author himself mentions in the last line as a subtle disclaimer why it can be a choice.
You know how gait movements IRL work? Turns out, Google Recaptcha makes very good use of how you move and click with cursor on the captcha boxes. If you thought AI/ML image training was the only thing Google was making users do, now you know something new.
You want to know what a JS enabled Tor Browser looks like? A standard Firefox private mode tab with uBlock Origin medium mode and arkenfox user.js applied.
that’s simply not true. TB has further enhancement and code changes, it is based on ESR plus it’s not the same as a private window at all since private mode does not write to disk for example. most importantly tho: TB has crowd and the Tor network
Firefox has a bigger userbase than Tor Browser users, and it is a pretty uncontested claim logically. Firefox has Tor Project’s code for anti fingerprinting and per site data isolation upstreamed to Firefox’s private browsing mode since the past 15-20 or so versions now.
usability, a browser with JS disabled by default is not a good everyday browser for most. the more people use Tor Browser daily and have a good experience with it, the larger the crowd gets.
Does that not make the argument for Firefox stronger for regular daily browsing usage, since it has an even bigger userbase? You can use uBlock Origin and you can enjoy Tor Browser’s dFPI and per site data isolation benefits in Firefox’s private browsing mode.
I also don’t get what the difference between typing private stuff on facebook on tor or behind a vpn or on your ISP’s network is.
You missed where I said how having JS on means you are keylogged easily. Your caps lock is also detectable, just to be clear. You are also forgetting that making strings out of this keylogged stuff, and then applying stylometry analysis is a very easy and cost effective way into unmasking identities behind pseudonyms. I do this myself regularly as part of OSINT investigations. It is how I have also unmasked many sockpuppets on Lemmy, Matrix, Reddit in the past few years.
The author has a very agreeable position with me on what he speaks, but it is like how anti-imperialist viewpoints sound very correct in today’s political scenario, but every single nuance does not have to be perfect to get the idea across. He is getting the idea across here, and that is why you are arguing at length with me.
Edit: I think this explanation is lacking. I must expand on it.
First I will get out of the way elements that can be spoofed with JS on:
Now it is time to address elements which having JS on reveals. Feel free to correct me whatever is spoofed by Tor Browser.
Monitor colour depth support may not be a significant issue, as many have standard monitors.
Can you explain me how these are spoofed in Tor Browser while having JS on? I have ignored the fonts as those are spoofed, and there are no timing attack vectors in this list. The last bullet point, if you want to talk about, can be used to identify if someone used a really fast connection ISP at an unusual place and time.
Nameserver connections can be a possible issue with exit node identification, if we are to assume the OPSEC of an average journalist just downloading and using Tor Browser on any machine. If we assume relays can protect them, we have other vectors here, like…
… page scroll and mouse cursor positions, caps lock on or off, last key pressed.
Keylogging, as explained earlier, is a very cost effective way to unmask people. Telling people on top of it to feel free to use a personal Facebook account over Tor network, puts them in the mindset of typing personally identifiable messages, even becoming trackable down to how many errors a person makes and hits Backspace key. Imagine people typing messages under a pseudonym on a forum anonymously in a couple tabs besides the Facebook/Twitter tab, and writing with the same mental personality in mind.
I think this reply now feels a little more apt.
I just ran TBB and used deviceinfo.me to verify, what JS vs noJS can reveal. Here, JS reveals all this information, noJS does not.
Can the author explain me why keeping JS on is so helpful, if your goals go beyond basic privacy expectations?
You want to know what a JS enabled Tor Browser looks like? A standard Firefox private mode tab with uBlock Origin medium mode and arkenfox user.js applied.
Edit: I forgot to address this one
may I ask why? I generally agree with the sentiment of the article but I don’t have a very strong opinion on this and maybe I’m missing something. PS I don’t think the usual “I will end up in a list of people who use Tor” argument is a valid one.
People have a habit of typing stuff where they should not, and using literally something like a personal Facebook account over Tor and typing PII should have no opinion other than that it can be risky. All the above information I mentioned is trackable for even a single JS script allowed, and any website where you have such a personal account likely is not a very privacy respecting entity that will allow you to live JS free.
There’s generally nothing wrong with logging in to “real” accounts over Tor.
Tor Browser intelligently isolates your traffic so logging in to your “real” Facebook while doing secret stuff on a different website is not correlate-able via traffic patterns.
It also isolates local state (like cookies) so it won’t leak that way.
I found this problematic. He is encouraging the use of PII accounts over Tor, which is a very risky thing to do for someone not familiar with how to make and stick to an OPSEC.
A lot of his advice is actually what I practice and preach, but this and the JavaScript one makes me feel less confident here. Preferring JavaScript stay disabled is a better choice, the next best is only allowing JavaScript when needed momentarily. This is why TailsOS which ships with a uBlock Origin Tor Browser is more helpful.
That article is a… bit conflating in terms of privacy and anonymity. The whole idea of a VPN has been discarded by the writer just because there is a paywall around it. People can use it for using SaaS like games, streaming platforms to acquire contextual anonymity and/or security.
A very popular use is for torrenting as well, and some trackers do not like same IP being abused by many people, so IP range blocks also exist. VPNs help bypass those as well.
The amount of people who have made that phrase problematic is wrong on many levels. It is what Nazis and racists do. Nazis first tilted Hindu Swastika to a 45° on left and made it their symbol, now they are using Nordic mythology symbols as their own. They take common language and symbols and adopt them to grift into masses’ discussions.
No, GrapheneOS developer and community is disgusting and for the most part FUD spreaders. Plenty people who dumped GrapheneOS know how toxic and unhelpful the community is. They are a bunch of rabid dogs on the internet (Techlore community called them that) that troll and attempt to shut down any criticism.
Look no further https://lemmy.ml/post/128747?scrollToComments=true
No need for custom ROM, no need for special phone, my guide works on any non rooted Android and is well known in the community.
Do not fall for this insane tech privacy obsession scheme and all the favourite phone brands and models. Pick a nice phone model, avoid Samsung if possible. Do the guide steps and you are good to go.
A $200-300 phone every 4 years, with a $20-50 official battery replacement every 2 years is a very cheap way of getting things done. The phone will cost you basically $7/month and should be a nice escape from this capitalistic hyper consumerism model people are sold.
I see a set pattern, 3-4 downvoters on each comment explaining socialism, and the opposing comments having equal upvotes. Are you so terrified of a superior ideology, wolves-in-sheep-clothing internet users?
The most fun part is user account Orwell (@Owell1984), literally a fascist figure, created this question post.
I also strongly recommend you read the wikipedia page on reverse racism, aka anti-white racism. Have a good day!
Are you suggesting anti-white racism is a thing? Funny idea for someone who likes to think of themself as anti-imperialist…
Pick one.
You can stop using internet right now. There are closed source bits of code in the JS you run off of websites natively. If you are not using LibreJS and IceCat, you have already been assimilated.