[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] noscript on youtube

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] noscript on youtube
From: cube@xxxxxxxxxxxxxxxxx
Date: Sat, 30 Jul 2016 20:07:22 -0700
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sat, 30 Jul 2016 23:08:25 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

> When trying to login to Youtube from TBB, NoScript blocks a bunch of 
> stuff seemingly related to fonts (see screenshot at 
> https://postimg.org/image/c0sfrf2kh/41fa1875/ ), and i cannot proceed 
> (the Sign In button doesnt work.  Otherwise Youtube works fine with 
> HTML5 videos.
> The website's font ought not matter when trying to login.  Is there a 
> TBB exploit related to fonts and javascript that would deanonymize 
> users?  Why else would Google require a browser to get code from 
> fonts.gstatic.com?
> -- 
> tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> %
> 
> 

The CSS @font-face rule that is being blocked by NoScript can be used to fingerprint you, specifically can be used to detect what fonts you have installed.
How this works is that you define a set of fonts and tell the client ``if you need to use these fonts but don't have them you can download them from me''. The client then requests the fonts it doesn't have. From this the server knows what fonts the client doesn't have and by process of elimination what fonts it does have.

This can be done with zero JavaScript and only CSS.

You can see this test in action on http://browserprint.info/
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] noscript on youtube
  - From: dewaj

Prev by Author: Re: [tor-talk] EU Intel Property Office Report Hates on Tor, Bitcoin, Bittorrent, Goods Pirates and Models
Next by Author: Re: [tor-talk] Announcing OnionLauncher: a Launcher for Tor
Previous by thread: [tor-talk] noscript on youtube
Next by thread: Re: [tor-talk] noscript on youtube
Index(es):
- Author
- Thread