[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Evercookies / supercookies tracking & No Script whitelisting tracking sites



Let's continue speculating instead of reading any documentation.
That's totally a productive use of everyone's time.

https://www.torproject.org/projects/torbrowser/design/#new-identity
https://www.torproject.org/projects/torbrowser/design/#identifier-linkability

Thus spake Matthew Kaufman (mkfmncom@xxxxxxxxx):

> Hi Joe,
> 
> Great questions.  I was also wondering how these claims on the New Identity
> button works in this case.
> 
> If it is the case, which it may be, this seems to or would seem to exceed
> my expectations just as it may yours.
> 
> 
> 
> On Monday, May 14, 2012, Joe Btfsplk wrote:
> 
> > On 5/14/2012 1:56 PM, Mike Perry wrote:
> >
> >> The short answer is "Yes, we've looked into it. New Identity removes
> >> evercookies."
> >>
> >> The long answer is
> >> https://www.torproject.org/**projects/torbrowser/design/#**new-identity<https://www.torproject.org/projects/torbrowser/design/#new-identity>and
> >> https://www.torproject.org/**projects/torbrowser/design/#**
> >> identifier-linkability<https://www.torproject.org/projects/torbrowser/design/#identifier-linkability>
> >>
> >> The footnote is "Please help us test this shit in new releases. We just
> >> had a race condition on the cache that allowed cache cookies to persist
> >> for up to a minute after clicking New Identity (though they did go away
> >> after that)."
> >> https://trac.torproject.org/**projects/tor/ticket/3846<https://trac.torproject.org/projects/tor/ticket/3846>
> >> https://trac.torproject.org/**projects/tor/ticket/5715<https://trac.torproject.org/projects/tor/ticket/5715>
> >>
> > How, pray tell, does clicking New Identity remove evercookies from 12 - 15
> > possible locations?  The cache isn't the only place evercookies can be
> > stored.  How does it remove ANY cookies at all?  Does that necessarily
> > clear LSOs, clear different locations HTML5 data can be stored - like
> > delete webappstore.sqlite - (even if you've not viewed HTML5 media, the
> > cookies can still be place there), or all other known locations evercookies
> > can be placed (so far)?  I never heard or read that feature when using New
> > Identity.  Was I absent that day or were we waiting for just the right time
> > for a big announcement?
> >
> >>
> >> Thus spake Joe Btfsplk (joebtfsplk@xxxxxxx):
> >>
> >>  The most recent versions of TBB&  No Script's default settings under
> >>> Advanced>External filters, is not to block hulu.com, .youtube.com.
> >>> The content type (I think) refers to shockwave|futuresplash.  How -
> >>> OR IF - No Script's blocking ability of "evercookies" w/ its
> >>> settings as it ships w/ TBB&  sites like * Hulu * that (at least in
> >>> recent past) were * confirmed * by several privacy investigation
> >>> projects to be using evercookie / Kissmetrics.com tracking cookie
> >>> technology.  These cookies are NOT blocked by disabling all cookies
> >>> / all 3rd party cookies in Firefox.  Even if they were, TBB ships w/
> >>> allow all cookies enabled.
> >>>
> >>> One of the many ways / places (up to 12 - 15) that the js loaded
> >>> evercookies can be placed is as an LSO / flash cookie.  There are
> >>> many other traditional&  non traditional places these cookies are
> >>> stored.  AFAICT from reading research, these cookies CAN transmit
> >>> data that could compromise Tor users' anonymity - as they certainly
> >>> can in Firefox.  They are also very difficult to del&  "stay"
> >>> deleted (thus, sometimes called Zombie cookies).  Deleting cookies
> >>> by "normal" means does NOT delete them.
> >>>
> >>> Numerous research reports that I've read say one of the only ways to
> >>> block these is disable js for most sites (as in, using No Script),
> >>> but that supposedly makes users more susceptible to fingerprinting,
> >>> by only allowing certain sites to load js content.  Yet Hulu was one
> >>> of the worst offenders for using evercookies (I don't use Hulu,
> >>> BTW), but is whitelisted in NoScript.
> >>>
> >>> Have Tor devs looked into THESE special types of cookies&  if they
> >>> potentially compromising anonymity or even increasing chances of
> >>> fingerprinting, due to information they transmit about every site
> >>> you visit?
> >>> ______________________________**_________________
> >>> tor-talk mailing list
> >>> tor-talk@xxxxxxxxxxxxxxxxxxxx
> >>> https://lists.torproject.org/**cgi-bin/mailman/listinfo/tor-**talk<https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>
> >>>
> >>
> >>
> >> ______________________________**_________________
> >> tor-talk mailing list
> >> tor-talk@xxxxxxxxxxxxxxxxxxxx
> >> https://lists.torproject.org/**cgi-bin/mailman/listinfo/tor-**talk<https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>
> >>
> > ______________________________**_________________
> > tor-talk mailing list
> > tor-talk@xxxxxxxxxxxxxxxxxxxx
> > https://lists.torproject.org/**cgi-bin/mailman/listinfo/tor-**talk<https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>
> >
> _______________________________________________
> tor-talk mailing list
> tor-talk@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

-- 
Mike Perry

Attachment: signature.asc
Description: Digital signature

_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk