Silk Road forums

Discussion => Security => Topic started by: CHIU on July 06, 2013, 11:49 pm

Title: accessing SR without accepting cookie?
Post by: CHIU on July 06, 2013, 11:49 pm
I recently made a couple of updates on my browser settings to improve my anonymity. I then realized that my browser was accepting cookie, which are a major security fallacy , so I disable them immediately. The result was that I couldn't login into SR anymore. Obviously, making the connection between my decision to disable cookies and the fact that I couldn't login into SR took a while, and it hasn't been fun time!

I later checked and there are not cookie saved after being logged in SR, but still having the necessity to leave the cookie enabled disturbs me a bit. Am I the only one having this problem with cookies to login and/or just security concern?
Title: Re: accessing SR without accepting cookie?
Post by: astor on July 07, 2013, 12:48 am
Yes, there is a cookie, it should say

session=<long random string>

and you need it to stay logged in. There's no way around it.

May I ask what changes you made to your browser to improve your anonymity? They may be harming your anonymity.

For example, not accepting cookies reduces your anonymity set to those Tor Browser users (well, hopefully you are using Tor Browser and not a regular browser) that don't accept cookies. That may be less than 1% of users. So your anonymity set is quite small through that change alone. A certain combination of changes in browser behavior could make you uniquely identifiable.
Title: Re: accessing SR without accepeting cookie?
Post by: CHIU on July 07, 2013, 08:23 am
I'm using a Firefox browser on bootable usb stick with Ubuntu to avoid leaking information and not leave traces on my machine.
I went through a couple of browser Security tests online and I follow the browser settings suggested by the hidden wiki.

http://3suaolltfj2xjksb.onion/hiddenwiki/index.php?title=Browser_security#Browser_Settings

My firefox is now set using the above settings, and the security tests look better. However, I recently had the browser uniqueness test on (CLEARNET) https://panopticlick.eff.org/ and the results were not impressive. As you said, because of my settings my browser seems quite unique. So, I read their work on browser fingerprints:

"Examples of measures that might be intended to improve privacy but which appear to be ineffective or even potentially counterproductive in the face of fingerprinting include Flash blocking (the mean surprisal of browsers with Flash blockers is 18.7), and User Agent alteration (see note 3). A small group of users
had “Privoxy” in their User Agent strings; those User Agents alone averaged 15.5 bits of surprisal. All 7 users of the purportedly privacy-enhancing “Browzar”
browser were unique in our dataset. There are some commendable exceptions to this paradox. TorButton has evolved to give considerable thought to fingerprint resistance [19] and may be receiving the levels of scrutiny necessary to succeed in that project [15]. NoScript is a useful privacy enhancing technology that seems to reduce fingerprintability."

I'm not using any of these add-ons, but I have other ones installed (adblock, masking agent, less spam, https everywhere, ... ). Should I unistall them?

Title: Re: accessing SR without accepeting cookie?
Post by: astor on July 07, 2013, 09:05 am
My firefox is now set using the above settings, and the security tests look better. However, I recently had the browser uniqueness test on (CLEARNET) https://panopticlick.eff.org/ and the results were not impressive. As you said, because of my settings my browser seems quite unique. So, I read their work on browser fingerprints:

When I look at the individual items in the Panopticlick results, the parameter with the highest entropy for me is browser window size. That (and some other things) can be eliminated by turning off JavaScript. Doing that reduces your anonymity set to those users with JavaScript disabled, but it still makes you less identifiable than giving web sites a unique browser window size. By disabling JavaScript in Tor Browser, I look like 1 in 979 browsers, which is pretty good.

I'm using a Firefox browser on bootable usb stick with Ubuntu to avoid leaking information and not leave traces on my machine.

You're using the regular Firefox? You really should be using Tor Browser and not a regular web browser. Read about all things that Tor Browser protects you against that regular Firefox doesn't:

https://www.torproject.org/projects/torbrowser/design/


Here's a list of patches that make Tor Browser safer than Firefox:

Block Components.interfaces -- In order to reduce fingerprinting, we block access to this interface from content script. Components.interfaces can be used for fingerprinting the platform, OS, and Firebox version, but not much else.

Make Permissions Manager memory only -- This patch exposes a pref 'permissions.memory_only' that properly isolates the permissions manager to memory, which is responsible for all user specified site permissions, as well as stored HSTS policy from visited sites. The pref does successfully clear the permissions manager memory if toggled. It does not need to be set in prefs.js, and can be handled by Torbutton.

Make Intermediate Cert Store memory-only -- The intermediate certificate store records the intermediate SSL certificates the browser has seen to date. Because these intermediate certificates are used by a limited number of domains (and in some cases, only a single domain), the intermediate certificate store can serve as a low-resolution record of browsing history. As an additional design goal, we would like to later alter this patch to allow this information to be cleared from memory. The implementation does not currently allow this.

Add a string-based cacheKey property for domain isolation -- To increase the security of cache isolation and to solve strange and unknown conflicts with OCSP, we had to patch Firefox to provide a cacheDomain cache attribute. We use the url bar FQDN as input to this field.

Block all plugins except flash -- We cannot use the @mozilla.org/extensions/blocklist;1 service, because we actually want to stop plugins from ever entering the browser's process space and/or executing code (for example, AV plugins that collect statistics/analyze URLs, magical toolbars that phone home or "help" the user, Skype buttons that ruin our day, and censorship filters). Hence we rolled our own.

Make content-prefs service memory only -- This patch prevents random URLs from being inserted into content-prefs.sqlite in the profile directory as content prefs change (includes site-zoom and perhaps other site prefs?).

Make Tor Browser exit when not launched from Vidalia -- It turns out that on Windows 7 and later systems, the Taskbar attempts to automatically learn the most frequent apps used by the user, and it recognizes Tor Browser as a separate app from Vidalia. This can cause users to try to launch Tor Browser without Vidalia or a Tor instance running. Worse, the Tor Browser will automatically find their default Firefox profile, and properly connect directly without using Tor. This patch is a simple hack to cause Tor Browser to immediately exit in this case.

Disable SSL Session ID tracking -- This patch is a simple 1-line hack to prevent SSL connections from caching (and then later transmitting) their Session IDs. There was no preference to govern this behavior, so we had to hack it by altering the SSL new connection defaults.

Provide an observer event to close persistent connections -- This patch creates an observer event in the HTTP connection manager to close all keep-alive connections that still happen to be open. This event is emitted by the New Identity button.

Limit Device and System Specific Media Queries -- CSS Media Queries have a fingerprinting capability approaching that of Javascript. This patch causes such Media Queries to evaluate as if the device resolution was equal to the content window resolution.

Limit the number of fonts per document -- Font availability can be queried by CSS and Javascript and is a fingerprinting vector. This patch limits the number of times CSS and Javascript can cause font-family rules to evaluate. Remote @font-face fonts are exempt from the limits imposed by this patch, and remote fonts are given priority over local fonts whenever both appear in the same font-family rule. We do this by explicitly altering the nsRuleNode rule represenation itself to remove the local font families before the rule hits the font renderer.

Rebrand Firefox to Tor Browser -- This patch updates our branding in compliance with Mozilla's trademark policy.

Make Download Manager Memory Only -- This patch prevents disk leaks from the download manager. The original behavior is to write the download history to disk and then delete it, even if you disable download history from your Firefox preferences.

Add DDG and StartPage to Omnibox -- This patch adds DuckDuckGo and StartPage to the Search Box, and sets our default search engine to StartPage. We deployed this patch due to excessive Captchas and complete 403 bans from Google.

Make nsICacheService.EvictEntries() Synchronous -- This patch eliminates a race condition with "New Identity". Without it, cache-based Evercookies survive for up to a minute after clearing the cache on some platforms.

Prevent WebSockets DNS Leak -- This patch prevents a DNS leak when using WebSockets. It also prevents other similar types of DNS leaks.

Randomize HTTP pipeline order and depth -- As an experimental defense against Website Traffic Fingerprinting, we patch the standard HTTP pipelining code to randomize the number of requests in a pipeline, as well as their order.

Emit an observer event to filter the Drag and Drop URL list -- This patch allows us to block external Drag and Drop events from Torbutton. We need to block Drag and Drop because Mac OS and Ubuntu both immediately load any URLs they find in your drag buffer before you even drop them (without using your browser's proxy settings, of course). This can lead to proxy bypass during user activity that is as basic as holding down the mouse button for slightly too long while clicking on an image link.

Add mozIThirdPartyUtil.getFirstPartyURI() -- API This patch provides an API that allows us to more easily isolate identifiers to the URL bar domain.

Add canvas image extraction prompt -- This patch prompts the user before returning canvas image data. Canvas image data can be used to create an extremely stable, high-entropy fingerprint based on the unique rendering behavior of video cards, OpenGL behavior, system fonts, and supporting library versions.

Return client window coordinates for mouse events -- This patch causes mouse events to return coordinates relative to the content window instead of the desktop.

Do not expose physical screen info to window.screen -- This patch causes window.screen to return the display resolution size of the content window instead of the desktop resolution size.

Do not expose system colors to CSS or canvas -- This patch prevents CSS and Javascript from discovering your desktop color scheme and/or theme.

Isolate the Image Cache per url bar domain -- This patch prevents cached images from being used to store third party tracking identifiers.

nsIHTTPChannel.redirectTo() API -- This patch provides HTTPS-Everywhere with an API to perform redirections more securely and without addon conflicts.

Isolate DOM Storage to first party URI -- This patch prevents DOM Storage from being used to store third party tracking identifiers.

Remove "This plugin is disabled" barrier -- This patch removes a barrier that was informing users that plugins were disabled and providing them with a link to enable them. We felt this was poor user experience, especially since the barrier was displayed even for sites with dual Flash+HTML5 video players, such as YouTube.
Title: Re: accessing SR without accepting cookie?
Post by: CHIU on July 07, 2013, 10:28 am
Thanks for the details.

Tor browser gives much better result on the uniqueness test indeed!
Title: Re: accessing SR without accepting cookie?
Post by: CHIU on July 07, 2013, 10:34 am
I  have a system that loads Firefox with Vidalia at startup, I got to use that instead of TorBrowser. Bad call.