CreepJS is interesting. It has a consistent fingerprint on Tor desktop for Linux in Safer mode, 483f464b, but I have no way of testing if it will have a different fingerprint on other Tor desktop browsers on Linux. If anyone feels like trying it out, that could be an interesting experiment, but perhaps that strafes away too far from the original topic of this thread
1 Like
It certainly is an interesting yet slightly frightening discussion, I was hoping to mainly get an understanding of the Android variant but anything that goes towards strengthening Tor is welcome, I just ask that developers overseeing this thread take into consideration how things could be changed or improved for Tor as a whole, as in all variants across all platforms. I don’t think I’m wrong in saying that development of desktop has taken priority over mobile. It may perhaps be more difficult to implement the changes in Android but Tor have faced countless difficulties and continued on, hopefully it’s the same here.
I would like to ask how viewable our IDs are and who precisely can see them, if you connect to a .onion site you pass through six hops but does this mean all 6 see the ID or just the entry node?
A lot of people (myself included) will only run Tor in Safest mode meaning JavaScript is fully blocked off, in safer mode I think some of these test sites are getting identifier information through the allowed JavaScript. It would be a big advantage (and reassurance) to many if testing was to be done in Safer and then again after closing and reopening in Safest mode. I went back to poke at the Brave test sites in Tor on Safest and it wouldn’t even display anything because the whole interface relied upon JavaScript. I don’t know if that mean they get nothing or they do get it but just can’t show it.
The ultimate test would be trying all this on an .onion site designed for such things, we know what we see but none of us have any idea what the owner is getting.
Since you need probes and specific codes to get this information a genuine privacy respecting onion owner would never be attempting to get this information in the first place. Problem is we don’t know if they’re genuine and even if they are the onion could get hijacked or stolen by nefarious actors.
A minefield it is.
I assume, that your test has been before the Tor browser 11 update? You can also look at the signature. If there is a signature you didn’t set, then someone else shares the same ID as you. If there is no signature present, you can insert one, so others can realize that too. Or you visit CreepJS every few days and look whether your ID has changed (so different fingerprint on revisit) or the visits counter increased more than one (others share the same fingerprint).
Tor Browser 11 has not yet reached Android for unknown and unexplained reasons