1

If I run the Tor Browser with onion routing disabled at home, obviously my real IP address is sent to the Web servers I'm connecting to, and Web servers and various third parties can make a decent guess that I'm the same person who's going to different sites because it's the same IP address.

Now, if I clear all my cookies and local storage, go to a friend's place, which has a different IP address, does the rest of Tor's privacy measures make sure that Web servers have no way of fingerprinting my browser as the same one I was using at home, or are there particular measures I must perform to identify as a different user? (Assume I'm browsing casually with no logins, etc.)

I assume the "New identity/circuit" functionality only applies to onion routing, so that would not be a relevant way to appear as a different user in this case because I've disabled the proxy functionality.

forthrin
  • 1,751
  • 1
  • 13
  • 21
  • There are ways to identify you as the user even if you are using the onion routing. That is by correlating stuff like your monitor size, mouse movements, schedules of use, etc. And the fact that not all traffic(incoming and outgoing) is routed throught the onion nodes if not configured properlly, which could be giving outrageous data off the wire and could be correlated. – dmb Feb 13 '19 at 19:38
  • The way I understand it, Tor blocks scripts from asking questions that can be used for fingerprinting. I assume monitor size and mouse position is part of that. Schedules of use would be an issue, though. However, the question is what I specifically can do to appear as a different user. If you know specific measures, post an answer. – forthrin Feb 13 '19 at 19:49
  • AFAIK the best thing you could do is to use a OS like TAILS or Whonix, a let config as it is from the get go, sadly is not enough for an answer. You should check the answer [here](https://security.stackexchange.com/questions/147402/how-do-traffic-correlation-attacks-against-tor-users-work) and also [this](https://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-gregory_fleischer-attacking_tor.pdf) talks about the application vulnerable. – dmb Feb 13 '19 at 20:06
  • 1
    @dmb Fingerprinting mouse position (this is called input biometrics) and the like are partially mitigated by using reduced-resolution timers. And unfortunately window size cannot be hidden currently, which is why you should not resize the browser. – forest Feb 14 '19 at 11:14

1 Answers1

1

If you do not use Tor with Tor Browser, then you will be one of the very few people who have the generally homogenous fingerprint of that browser, but without Tor. While simply restarting the browser is sufficient to destroy all traditional persistent fingerprinting vectors (cookies and "supercookies" and the like), the fact is that you will still likely be the only user a website ever sees which is using Tor Browser without Tor.

Tor Browser can only provide you with anonymity if you have a large anonymity set. That is, everything about your connection applies to millions of other people. Changing any one thing, whether it's the use of your friend's IP instead of Tor or the addition of new browser addons, will reduce the anonymity set considerably and will make you far easier to identify across different sessions. Do not disable Tor.

The New Identity button is functionally equivalent to closing and opening the browser.

forest
  • 65,613
  • 20
  • 208
  • 262