[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #19417 [Applications/Tor Browser]: asm.js files should be no linkability risk



#19417: asm.js files should be no linkability risk
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:
                                                 |  assigned
 Priority:  Medium                               |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Major                                |     Resolution:
 Keywords:  tbb-linkability, GeorgKoppen201609,  |  Actual Points:
  ff68-esr, TorBrowserTeam201909                 |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by gk):

 Replying to [comment:40 acat]:
 > I do not see any asm.js cache, disk or in-memory.
 >
 > It's not a strong proof, but I did a quick test with
 https://kripken.github.io/Massive/ (there are console logs with asm.js
 compilation time). Testing with Firefox 64, where caching was still
 enabled, shows that for cached asm.js loading time is much faster (like
 50ms vs 1000ms). In 68 there is no difference in times, either in PBM or
 "persisting" mode.
 >
 > Regarding comment:32, if the disk leak was solved (in
 https://bugzilla.mozilla.org/show_bug.cgi?id=1047105), what were the FPI
 concerns back then? Was there an in-memory cache that did not respect FPI?

 Well, it was not really solved as you would get the problem again when not
 being in PBM. If there is no in-memory cache (anymore), good. So asm.js
 files are just loaded on the fly and executed? If there is no storage
 involved and no identifier read-back/extraction over domains, great. Then
 we are done with the FPI concern. If we enable it again we should make
 sure it's disabled on safer and safest levels, though, I think (as it was
 before).

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19417#comment:41>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs