Maybe the better option is to use 3 chained VPNs from different providers? (One on a VPN router, the second on the host operating system, and the third on the guest operating system).
While the EFF website is good for some basic education, don’t mistake it for a comprehensive tool that compares to the actual capabilities of tracking companies.
And chaining VPNs as an alternative to Tor? I guess depending on your threat model it could be an alternative for someone, but talking about a general case then no, these two things just aren’t alike. (Any decent OS will allow you to chain any number of VPN connections without the workarounds you mentioned btw.)
Last thing I want to say on the actual topic of this thread: If you ever find yourself in a similar argument with literally Tor developers, take a step back and consider that there might be some things that you don’t yet have a full picture understanding of… nuff said.
1 Like
I’d rather remotely connect to a rented server so i don’t have to worry about vm escape vulnerabilities.
1 Like
(Any decent OS will allow you to chain any number of VPN connections without the workarounds you mentioned btw.)
May I ask how to chain VPNs on, for example, Windows? The only way I know is to use a virtual machine.
Thanks, Jonah. Sam Bent gave a good reply to the TorProject on his recent video.
Sorry, but I only know about Linux. GL-iNet makes VPN routers. That would be the first VPN. Then the host OS would be yoour second VPN. Then launch the virtual machine, and that would be the third VPN.
Thanks for the explanation, Nahme.
Any chance that this feature could be re-enabled for safest, as it does worsen privacy with javascript disabled?
“any decent OS” is what I said so no idea about Windows. In Linux what I would do is just use multiple network namespaces and chain them, can run Wireguard in each of them.
I watched both of his recent videos on Tor and Sam Bent gets plenty of technical info wrong and makes plenty of terrible suggestions. I didn’t remember him suggesting to roll back the Tor Browser but if he actually did, that should be the nail in the coffin for his reputation regarding anything related to cybersecurity. Definitely don’t take his advice or commentary on it seriously. It’s best he stick to covering DNM news.
I’ve searched. I don’t think it’s possible to detect the operating system using pure CSS only. Please show how that’s possible.
First google result. There are quite a few things one a can do with CSS.
There’s also GitHub - OliverBrotchie/CSS-Fingerprint: Pure CSS device fingerprinting. which is similar operating system detection based on fonts.
But this not applicable to Tor Browser because Tor Browser normalizes fonts. It ships its own limited list of fonts. It doesn’t use operating system fonts.
In conclusion, CSS based OS detection against Tor Browser won’t work.
“This one specfic method does not work, therefor I can write off and entire class of bugs.” Oh how I wish it was that simple.
P.s., do not move goal posts, you were talking about whether its possible at all, not just for tor browser.
1 Like
Overall, out of the 1176 combinations in our evaluation, we can distinguish 1152 of them (i.e., 97.95%). The combination of our novel techniques can generally distinguish all operating systems included in our evaluation, including the Tor browser with NoScript, both configured to the highest security level.
Interesting paper I found. Seems CSS fingerprinting is very much a thing and it can differentiate between operating systems and not just through installed fonts. I reckon the only reason it’s not more developed by now is that most people (including Tor browser users) have JavaScript enabled and that’s a goldmine of fingerprinting.
This discussion isn’t happening without context. The context was operating system spoofing removal for Tor Browser.
I wasn’t aware there’s a class of attacks.
Thank you.
So there’s fonts which Tor Browser mitigates and the paper helped to fix related bug in Tor Browser.
And there’s CSS calc to detect the operating system. Here’s their proof of concept that I haven’t tried.
I’d hope these bugs could be fixed instead of giving up on OS spoofing entirely.
18 posts were merged into an existing topic: Accuracy of Sam Bent video criticizing TOR (and PrivacyGuides) on HTTP Header OS spoofing removal?