[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #30436 [Applications/Tor Browser]: Visit duration tracking possible in TorBrowser using a favicon which downloads from a server using a connection that's never closed



#30436: Visit duration tracking possible in TorBrowser using a favicon which
downloads from a server using a connection that's never closed
--------------------------------------+-----------------------------------
 Reporter:  ehsan.akhgari@…           |          Owner:  tbb-team
     Type:  defect                    |         Status:  needs_information
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+-----------------------------------
Changes (by gk):

 * status:  new => needs_information
 * owner:  (none) => tbb-team
 * component:  - Select a component => Applications/Tor Browser


Comment:

 So, right now I wonder what we should do here and what the threat is. It
 does seem to me that this technique is a problem for cross-origin tracking
 with identifiers which we try to defend with First Party Isolation
 against. But it does not seem to be a fingerprinting technique either.

 Moreover, what's the threat here? A malicious first party domain a user is
 interacting with. What would it gain by measuring the page visit time with
 that technique? How would it single out me be it either during a
 particular session of across sessions with _just_ the scenario described
 in the links in your description (however, I admit this is a neat idea :)
 ).

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30436#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs