> (Many users think that Tor makes them anonymous. But Tor users can be tracked online; they are not anonymous.)
Being tracked and anonymous feel like two distinct issues. If you were to only see a hash of my username, you could track me, but you couldn't identify me with it. Definitely something you'd want TOR to stop, but I think that's pretty important.
The other vulnerability is that websites can identify that a user is using TOR. My understanding is that this has always been fairly trivial?
It feels like the real 'story' here is that the TOR project hasn't been grooming their bug bounty program, and so there may be more serious bugs lurking.
> If you were to only see a hash of my username, you could track me, but you couldn't identify me with it.
Pseudonymous is the word for that sort of "tracking". Tracking just means being tracked, no matter if they use the real name or a hash of it or fingerprinting/metadata like IP + user agent string + installed fonts.
Yeah, that's my point. Anonymity to me implies that you can not determine my true identity. That property still holds here. What doesn't hold is that you can not determine that I am the same person in multiple locations - a very significant issue, but a much less serious one.
One feeds into the other strongly, though. The odds of an adversary de-anonymizing you go up the more activity the adversary can see. Also, we should look at your anonymity on a per-site/session basis, and if de-anonymization on one site breaks your anonymity on other sites, that is bad.
>If you can be traced across the web, then your real name can now be attached to all your activity.
But that's not how tor works. It's not like a VPN where all your traffic comes out of one node. So if even if you logged into facebook using tor browser, it won't be able to correlate your other tor browsing activities. Even third party cookies won't work because tor browser has third party isolation enabled.
> >If you can be traced across the web, then your real name can now be attached to all your activity.
> But that's not how tor works. It's not like a VPN where all your traffic comes out of one node. So if even if you logged into facebook using tor browser, it won't be able to correlate your other tor browsing activities. Even third party cookies won't work because tor browser has third party isolation enabled.
Except that the OP discussed a technique that exposed an attribute of the user's setup that (when combined with other such techniques) allows unique (albeit pseudonymous) identification of the user across requests and sessions (this is called fingerprinting). Add in correlation of the pseud identifier with a real-world identity via use of FB, and the user would be totally hosed.
One example would be to join groups that you don't want associated with your IRL identity. Another would be as part of a phish test while doing a pentest against an organization you're working for.
Being tracked and anonymous feel like two distinct issues. If you were to only see a hash of my username, you could track me, but you couldn't identify me with it. Definitely something you'd want TOR to stop, but I think that's pretty important.
The other vulnerability is that websites can identify that a user is using TOR. My understanding is that this has always been fairly trivial?
It feels like the real 'story' here is that the TOR project hasn't been grooming their bug bounty program, and so there may be more serious bugs lurking.