[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #12715 [Tor Browser]: Treat fingerprinting fixes like other security fixes: trigger TBB release
#12715: Treat fingerprinting fixes like other security fixes: trigger TBB release
-----------------------------+--------------------------------
Reporter: cypherpunks | Owner: tbb-team
Type: task | Status: new
Priority: normal | Milestone:
Component: Tor Browser | Version:
Resolution: | Keywords: tbb-fingerprinting
Actual Points: | Parent ID:
Points: |
-----------------------------+--------------------------------
Comment (by cypherpunks):
Fair enough, but it can be labor intensive find out how much entropy is
leaked. For example, does #9881 give you
- "Only" the screen size?
- Clues about the OS / desktop environment / window manager (not all allow
oversized windows)?
- The OS / desktop environment toolbar size?
Evaluating a bug's severity would involve writing a custom-tailored,
robust to the point of almost being weaponized, fingerprinter. Assuming
that TBB development had the manpower to do that, then after even more
days spent on that we find out that it really is serious. Oops...
I feel like the question "Does this fingerprinting bug ''really'' have
high entropy?" is analogous "Does this free-after-use or whatever
''really'' give someone remote code execution?" in that it may usually be
more realistic to just assume "yes" and start the release build.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12715#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs