I am trying with Torbrowser 5.5.5 on MacOS X with javascript activated, and weak privacy settings, and the webpage detects neither that it is TorBrowser nor that it's on MacOS X.
I have also installed uBlock Origin; maybe it is what makes the difference?
Client runs guacamole client, one of the intermediate TOR nodes runs guacamole host. Fingerprinting takes place on intermediate node which is randomly chosen every time client starts up service. End result: Client remains anonymous to these sort of fingerprinting efforts
The downside is TOR, which is not terribly performant because of extra intermediate hops, will be degraded further by guacamole service.
Yes, you're wrong :) It actually opens up this page in the background:
chrome://torbutton/locale/aboutTor.properties
If it exists, you're using Tor. Pretty obvious. For the version, it concats a few variables from `window.navigator', CRCs them, then compares the result against known CRCs. The code[0] is pretty easy to follow. I'm surprised Tor exposes these variables at all.
Isn't that only for Chrome? Tor Browser's based on Firefox eh. I thought XHR wasn't allowed cross-___domain anyways, so shouldn't these things fail? Though I admit having no knowledge of how the addon system works.
Detecting Tor should be easier though, since exit nodes are published. So just check the IP?
I imagine all the variables have to be exposed because sites will break otherwise.
Cue them saying something along the lines of “our goal is to prevent tracing, not fingerprinting”. But I hope they’re hard at work on a fix regardless.
Torbrowser includes patches to Firefox that make it more difficult to fingerprint individual machines, however this is at the expense of making it trivial to identify as Torbrowser when javascript is enabled. It doesn't appear possible to fix.
Also, the requests seem to come from a node exit IP, which are public, so identifying a Tor user is easy.
Tor provides anonymity by giving all its users the same fingerprint. The fact that you're using Tor isn't a secret.
About the Tor version number in window.navigator, I guess they can't easily block it since the browser itself leaks some information via the features added in each release (e.g. a new JS API introduced in Firefox XX).
Strangley, the tor site at one point mentions having javascript enabled by default. As far as I know, that is a no no for anonymous browsing using tor. But it also breaks most sites so there are not many times I actually use it. Even with javascript enabled, I'm sure you can still do a fair bit of anonymous browsing but I just don't trust java or the internet.
Not that it wasn't supposed to, just letting anyone know because its a waste of time for someone else to boot up their VMs just to see it, like I did.