Thus spake Joe Btfsplk (joebtfsplk@xxxxxxx): > On 5/14/2012 1:56 PM, Mike Perry wrote: > >The short answer is "Yes, we've looked into it. New Identity removes > >evercookies."... > > > >The footnote is "Please help us test this shit in new releases. We just > >had a race condition on the cache that allowed cache cookies to persist > >for up to a minute after clicking New Identity (though they did go away > >after that)."... > Maybe there should be more discussion about these types of cookies > (most aren't even aware of them or their capabilities), how to > PREVENT them - to extent possible & how to clean them up. They are > NOT easy to get rid of if they've been placed in many / most of the > known locations they can hide. https://trac.torproject.org/projects/tor/ticket/5294 We want to keep it short and sweet, though. Normal people don't care about enumerating evercookie locations, only mentats do. Mentats are encouraged to read the design doc, suggest improvements, and review the source code. > Also, FAQ on them. I read the design links for New Identity & the > bug links, but I didn't see how that handles ALL the known locations > where evercookies can be placed. > Another view is, "An ounce of prevention is worth a pound of cure." > I think educating users how to avoid them, to the extent possible, > would be good. They're often easier to avoid than eradicate. Word. The design does come from a thorough understanding of all the places browsers can store state about your browsing experience, in what cases it gets transmitted and/or side channeled, and how to deal with it. The design is documented so others with this understanding can verify we've done our jobs, though perhaps we could make the "New Identity" section itself more legible, somehow. Keeping TBB relatively simple (only three addons, no plugins) makes this a whole lot easier than for vanilla Firefox. That's one of the reasons why New Identity is disabled there. > I can't vouch for these clean up utilities effectiveness on > evercookies. I use them, but haven't tested much on evercookies. > BleachBit claims it will clean evercookies (recent versions). > CCleaner (some forum moderators) claim it will clean them, but I > couldn't squeeze out of anyone at Piriform, that CCleaner officially > claims to handle evercookies (meaning, all known "hiding places.") To be fair, the EverCookie problem does grow exponentially more complicated once you add in third party plugins and addons, AV software, etc. That's why we try to keep TBB simple, and keep other addons and plugins out of it. -- Mike Perry
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ tor-talk mailing list tor-talk@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk