[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #17207 [Tor Browser]: Testing navigator.mimeTypes for known names can reveal info and increase fingerprinting risk
#17207: Testing navigator.mimeTypes for known names can reveal info and increase
fingerprinting risk
-------------------------------------------------+-------------------------
Reporter: TemporaryNick | Owner:
Type: defect | arthuredelstein
Priority: High | Status: closed
Component: Tor Browser | Milestone:
Severity: Major | Version:
Keywords: tbb-fingerprinting, | Resolution: fixed
TorBrowserTeam201510R | Actual Points:
Parent ID: | Points:
Sponsor: |
-------------------------------------------------+-------------------------
Comment (by arthuredelstein):
Replying to [comment:18 gk]:
> This looks okay to me and I merged cherry-picked the commits onto tor-
browser-38.3.0esr-5.5-2. One question: Is there any reason why you did not
add ` ||ResistFingerprinting()` to any `!AllowPlugins()`? I guess only
those where you added them are fingerprinting relevant? I wonder if that
is going to lead into some confusion though: there may be things doable
with plugins if you have fingerprinting defenses enabled (and are allowing
plugins) and other things only if you have them disabled. Or are there no
such things? I know there are a bunch of users that (need to?) enable
Flash but maybe we just don't care about them too much here.
I only added ` ||ResistFingerprinting()` to places where information is
exposed through the content web APIs. I believe the other functions are
only called by Chrome code, so ResistFingerprinting() would always return
false.
I think the scope of this ticket is not to disable plugins, but merely to
prevent their detection through navigator.plugins. It is in principle
still possible to detect plugins by including several of them in a page --
but if we enforce click-to-play, then this is not really a practical
attack, I think.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17207#comment:20>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs