[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: browser fingerprinting - panopticlick



Thus spake 7v5w7go9ub0o (7v5w7go9ub0o@xxxxxxxxx):

> >> After all, in normal operation, your history leaks one fuckload of
> >> a lot of bits. And that's a technical term. Sensitive ones too,
> >> like what diseases and genetic conditions you may have (via Google
> >> Health url history, or Wikipedia url history). It's pretty annoying
> >> that the browser makers really have no plan to do anything about
> >> that massive privacy leak.
> > 
> > isn't there any way to protect against that without using
> > Tor/Torbutton? i think there was a SafeHistory add-on, but it's still
> > not been ported to FF 3.0+.
> 
> IIUC, SafeHistory (with other stuff) has been incorporated into Torbutton.

That's not 100% correct. A superset of SafeHistory and SafeCache's
protections are in Torbutton in that Torbutton does not allow ANY
visited links to be displayed as visited and it clears the cache on
every toggle, and by default allows only memory caching.

However, SafeHistory and SafeCache were more intelligent in how they
operated for normal browsing. They used "same origin policy" rules
(http://en.wikipedia.org/wiki/Same_origin_policy) for deciding when to
display links as visited and when to allow caching for certain page
elements. The idea was to prevent elements from doubleclick.net and
other randomly sourced domains from determining arbitrarily which
sites you visited, and from storing cross-domain unique identifiers
(of course now there's DOM storage for that...).

The reason why Torbutton didn't opt for the same origin policy method
is because Tor exit nodes can impersonate any non-https origin they
choose, and query your history or store global cache identifiers that
way. It was basically all or nothing for us.

But yes, it would be nice if Colin Jackson and company kept
SafeHistory and SafeCache updated for regular users. Sadly they seem
to have forgotten about it. I wonder if anyone will make a fork and
update it.

-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs

Attachment: pgpjyrJkiH21T.pgp
Description: PGP signature