[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Evercookies / supercookies tracking & No Script whitelisting tracking sites

The most recent versions of TBB & No Script's default settings under Advanced>External filters, is not to block hulu.com, .youtube.com. The content type (I think) refers to shockwave|futuresplash. How - OR IF - No Script's blocking ability of "evercookies" w/ its settings as it ships w/ TBB & sites like * Hulu * that (at least in recent past) were * confirmed * by several privacy investigation projects to be using evercookie / Kissmetrics.com tracking cookie technology. These cookies are NOT blocked by disabling all cookies / all 3rd party cookies in Firefox. Even if they were, TBB ships w/ allow all cookies enabled.

One of the many ways / places (up to 12 - 15) that the js loaded evercookies can be placed is as an LSO / flash cookie. There are many other traditional & non traditional places these cookies are stored. AFAICT from reading research, these cookies CAN transmit data that could compromise Tor users' anonymity - as they certainly can in Firefox. They are also very difficult to del & "stay" deleted (thus, sometimes called Zombie cookies). Deleting cookies by "normal" means does NOT delete them.

Numerous research reports that I've read say one of the only ways to block these is disable js for most sites (as in, using No Script), but that supposedly makes users more susceptible to fingerprinting, by only allowing certain sites to load js content. Yet Hulu was one of the worst offenders for using evercookies (I don't use Hulu, BTW), but is whitelisted in NoScript.

Have Tor devs looked into THESE special types of cookies & if they potentially compromising anonymity or even increasing chances of fingerprinting, due to information they transmit about every site you visit?
tor-talk mailing list