Silk Road forums
Discussion => Security => Topic started by: anonymous3210 on January 10, 2013, 01:25 am
-
about e tags:
Websites may mark arbitrary pages on page load. Thereby, so-called e-tags are used. As long as the respective site remains in your browser cache, the mark is sent on any new request to the website again.
This is especially critical if the elements in the cache are ressources from third-party sites. This data has the same effect as third party cookies.
This is what it said about me:
Recommended: Your browser should not cache any third party content at all, or should at least delete them upon moving to another site.
Firefox: Use JonDoFox. Alternatively, you may switch off the cache completely: about:config, browser.cache.disk.enable:false, browser.cache.memory.enable:false
-
ip-check.info is by far the most indepth of any anonymity tester i've used...
-
You can disable memory cache, but I strongly recommend against it. It can severely impact your browsing.
The only thing e-tags can do is link you between sites or exit nodes. They can't identify you (unless you're using your real identity over Tor on one of those sites, which is stupid).
However, if you still want to do it, type about:config in the URL bar and click through the warning.
type in: browser.cache.memory.enable
and double click it so it says false.
-
I have this disabled and experience no issues. I don't visit a wide range of sites though.
-
You can disable memory cache, but I strongly recommend against it. It can severely impact your browsing.
The only thing e-tags can do is link you between sites or exit nodes. They can't identify you (unless you're using your real identity over Tor on one of those sites, which is stupid).
However, if you still want to do it, type about:config in the URL bar and click through the warning.
type in: browser.cache.memory.enable
and double click it so it says false.
can't identify me unless i'm using my real identity over tor? what do you mean by real identity? i just load up tor and browse lol
-
If you were to login to your credit union account or pay your cable bill through Tor you would no longer be anon. That's what he means.
-
^^ This. Or Facebook, or any web site that you previously logged into over clearnet.
-
worst i've ever done is open a instawallet on a couple occassions in the clearnet...for some reason instawallet doesn't always load in tor. i'm assuming i'm okay as the feds haven't knocked down my door...but i only use tor for sr and sr related activities...and i'm more careful than ever now
-
I noticed this earlier today myself, actually... I didn't think there was a way to disable e-tags completely. Are you sure that setting doesn't just control whether the page is cached in system memory (RAM), Astor? I mean it *also* disables e-tags altogether?
-
Well, the purpose of an e-tag is to check if you have cached a specific resource, so by disabling all caching you prevent that attack.
e-tags can potentially link your activity between different web sites, but they (alone) can't deanonymize you.
The Tor developers sometimes have to make trade offs between security and usability. Turning off JavaScript by default would be safer but it would also break half the web. Most people wouldn't know what was going on or how to fix it, they would just think that TorBrowser is shitty software and stop using it. The Tor devs decided that it's better for people to use Tor with JavaScript than no Tor at all.
e-tags are the same way. The Tor devs believe that the linkability threat is minimal compared to the potential breakage of turing off memory cache.
-
So I checked, and yeah, the etag value is no longer being sent back to the site after disabling that option. The site still sends it, but the browser doesn't respond with it, so it's effectively disabled completely. Cool; good to know.
-
Thanks for this useful information.
I've also read about browser fingerprinting - whereby you can be identified by having settings in your browser different from other people. I was going to do a whole lot of config mods to speed up Tor browser, but then read that this a bad idea because of the fingerprinting issue. Seems this could have a similar effect?
In fact I saw a post from one of the Tor devs somewhere suggesting to not modify Tor at all from the standard release for these reasons. Would appreciate further comments from you all on this...
Thanks
BG
-
I don't think it's anything to worry about. But I'm not a Tor developer, keep in mind. They know about this better than I do, presumably. But in my mind, really the biggest problem is an add-on or extension having bugs that could be exploited to expose your real IP address. Other than that, there's very little information that can be gathered from them. Basically the only info available to a site is what's either sent in a header or explicitly requested, and there's no good reason for an extension or add-on to allow a web site to get even *more* information than the browser already is designed to give on demand.
-
I'm probably the least computer literate in this thread, so forgive my simpleness.
Doesn't clicking the "S" next to the onion making "Scripts Currently Forbidden" - keep the "bad shit" of Java and others, at bay?
Peace
jagfug
-
nice reading.
-
Nothing to forgive, jagfug -- nobody can know everything :) Actually, the Tor browser comes pre-configured to block Java and certain other high-risk functions of the browser. Also, for some reason... when I changed that setting, the next time I started the browser... it had changed itself back. I may have not let it shut down properly (as in crashed the program by not quitting before I rebooted or something), but if it happened to me, it could happen to anybody and you may want to double-check if you really want this disabled.
-
i disabled the e tag's completely, but when it try to sign into tormail here or sr it just resets the login page when i click submit. i guess stuff needs to b cached?
-
I don't touch Tor settings other than the "Forbid Scripts"
I DO however use a cache cleaning program, set on an "aggressive" mode. Take's any and all traces of Tor away. In fact I had to dial it back a bit, because I'd lost the ability to connect to Tor, so I deleted anything with "tor" in the name, deleted Firefox, etc, and did a clean install.
Seems to work for me.
Also I rarely have the "slowdowns" that other people talk about sometimes.
Peace
jagfug
-
i disabled the e tag's completely, but when it try to sign into tormail here or sr it just resets the login page when i click submit. i guess stuff needs to b cached?
This is what I was talking about. I haven't experimented with disabling memory cache myself, but I've seen enough people warning against it.
The Tor devs don't want to break the web browsing experience, especially for people who won't understand what's wrong or how to fix it, so allowing JavaScript and memory cache is a necessary evil.