Hi,
This answer might pop up late now that #8665 is in Ready for QA state,
still it might bring new questions. Sorry for that.
On Fri, Jan 23, 2015 at 12:49:10AM +0100, intrigeri wrote:
> mercedes508 wrote (22 Jan 2015 17:54:53 GMT) :
> > And I'm wondering how important the fingerrint issue is, considering
> > how easy it is to change it (e.g. by enlarging the browser window),
>
> I'm more concerned about behavioral differences (compared to the Tor
> Browser) that we ship by default (XXX: we haven't summed up what they
> were recently, by the way), than about bits of fingerprinting
> information that every Tor Browser user, be it upstream or within
> Tails, can individually choose to leak.
>
> I'm tempted to propose that on this topic, just like for resizing the
> browser:
>
> * we provide safer defaults;
> * we let users manually opt-in if they want to block ads and diverge
> from the Tor Browser anonymity set.
> (Of course the current behaviour for resizing the window is not a good
> implementation of opting-in to diverge, as the security consequences
> of this action are completely non-obvious to the user. There are
> tickets in the right place about asking for a confirmation in this
> case, I think.)
>
> [And I'm starting to wonder if this wouldn't be better to put that
> in the upcoming Tor Browser's "security slider". At first glance:
Then if we go for safer defaults, I agree Ad Block+ would be more close to
NoScript in term in UX and fingerprinting.
We could integrate Ad Block+ the same way: installed but disabled by
default.
That sure would be something to discuss further with the TorBrowser
people.
We could help them to upstream our Ad Block+ rules update process.
Shall we engage a discussion about this? That's
https://trac.torproject.org/projects/tor/ticket/9387
> "block ads, not JS" < "block neither ads nor JS" < "block JS, not ads"
> (default)
>
> but once you block JS, your fingerprint is so much different anyway
> that blocking ads on top don't make a big difference, so possibly this
> would be better, although awkward and then perhaps confusing for
> users:
>
> "block ads, not JS" < "block neither ads nor JS" < "block JS and ads"
>
> Food for thought.]
I'm not even sure we need to decouple both, but why not. It might be hard
to fit in the TorLauncher slider though if we want to push this forward.
Bert.