The short answer is "Yes, we've looked into it. New Identity removes evercookies." The long answer is https://www.torproject.org/projects/torbrowser/design/#new-identity and https://www.torproject.org/projects/torbrowser/design/#identifier-linkability The footnote is "Please help us test this shit in new releases. We just had a race condition on the cache that allowed cache cookies to persist for up to a minute after clicking New Identity (though they did go away after that)." https://trac.torproject.org/projects/tor/ticket/3846 https://trac.torproject.org/projects/tor/ticket/5715 Thus spake Joe Btfsplk (joebtfsplk@xxxxxxx): > The most recent versions of TBB & No Script's default settings under > Advanced>External filters, is not to block hulu.com, .youtube.com. > The content type (I think) refers to shockwave|futuresplash. How - > OR IF - No Script's blocking ability of "evercookies" w/ its > settings as it ships w/ TBB & sites like * Hulu * that (at least in > recent past) were * confirmed * by several privacy investigation > projects to be using evercookie / Kissmetrics.com tracking cookie > technology. These cookies are NOT blocked by disabling all cookies > / all 3rd party cookies in Firefox. Even if they were, TBB ships w/ > allow all cookies enabled. > > One of the many ways / places (up to 12 - 15) that the js loaded > evercookies can be placed is as an LSO / flash cookie. There are > many other traditional & non traditional places these cookies are > stored. AFAICT from reading research, these cookies CAN transmit > data that could compromise Tor users' anonymity - as they certainly > can in Firefox. They are also very difficult to del & "stay" > deleted (thus, sometimes called Zombie cookies). Deleting cookies > by "normal" means does NOT delete them. > > Numerous research reports that I've read say one of the only ways to > block these is disable js for most sites (as in, using No Script), > but that supposedly makes users more susceptible to fingerprinting, > by only allowing certain sites to load js content. Yet Hulu was one > of the worst offenders for using evercookies (I don't use Hulu, > BTW), but is whitelisted in NoScript. > > Have Tor devs looked into THESE special types of cookies & if they > potentially compromising anonymity or even increasing chances of > fingerprinting, due to information they transmit about every site > you visit? > _______________________________________________ > tor-talk mailing list > tor-talk@xxxxxxxxxxxxxxxxxxxx > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk -- Mike Perry
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ tor-talk mailing list tor-talk@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk