[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] Evercookies / supercookies tracking & No Script whitelisting tracking sites
Great questions. I was also wondering how these claims on the New Identity
button works in this case.
If it is the case, which it may be, this seems to or would seem to exceed
my expectations just as it may yours.
On Monday, May 14, 2012, Joe Btfsplk wrote:
> On 5/14/2012 1:56 PM, Mike Perry wrote:
>> The short answer is "Yes, we've looked into it. New Identity removes
>> The long answer is
>> The footnote is "Please help us test this shit in new releases. We just
>> had a race condition on the cache that allowed cache cookies to persist
>> for up to a minute after clicking New Identity (though they did go away
>> after that)."
> How, pray tell, does clicking New Identity remove evercookies from 12 - 15
> possible locations? The cache isn't the only place evercookies can be
> stored. How does it remove ANY cookies at all? Does that necessarily
> clear LSOs, clear different locations HTML5 data can be stored - like
> delete webappstore.sqlite - (even if you've not viewed HTML5 media, the
> cookies can still be place there), or all other known locations evercookies
> can be placed (so far)? I never heard or read that feature when using New
> Identity. Was I absent that day or were we waiting for just the right time
> for a big announcement?
>> Thus spake Joe Btfsplk (joebtfsplk@xxxxxxx):
>> The most recent versions of TBB& No Script's default settings under
>>> Advanced>External filters, is not to block hulu.com, .youtube.com.
>>> The content type (I think) refers to shockwave|futuresplash. How -
>>> OR IF - No Script's blocking ability of "evercookies" w/ its
>>> settings as it ships w/ TBB& sites like * Hulu * that (at least in
>>> recent past) were * confirmed * by several privacy investigation
>>> projects to be using evercookie / Kissmetrics.com tracking cookie
>>> technology. These cookies are NOT blocked by disabling all cookies
>>> / all 3rd party cookies in Firefox. Even if they were, TBB ships w/
>>> allow all cookies enabled.
>>> One of the many ways / places (up to 12 - 15) that the js loaded
>>> evercookies can be placed is as an LSO / flash cookie. There are
>>> many other traditional& non traditional places these cookies are
>>> stored. AFAICT from reading research, these cookies CAN transmit
>>> data that could compromise Tor users' anonymity - as they certainly
>>> can in Firefox. They are also very difficult to del& "stay"
>>> deleted (thus, sometimes called Zombie cookies). Deleting cookies
>>> by "normal" means does NOT delete them.
>>> Numerous research reports that I've read say one of the only ways to
>>> block these is disable js for most sites (as in, using No Script),
>>> but that supposedly makes users more susceptible to fingerprinting,
>>> by only allowing certain sites to load js content. Yet Hulu was one
>>> of the worst offenders for using evercookies (I don't use Hulu,
>>> BTW), but is whitelisted in NoScript.
>>> Have Tor devs looked into THESE special types of cookies& if they
>>> potentially compromising anonymity or even increasing chances of
>>> fingerprinting, due to information they transmit about every site
>>> you visit?
>>> tor-talk mailing list
>> tor-talk mailing list
> tor-talk mailing list
tor-talk mailing list