[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] WebGL forbidden in NoScript but Flash is not?

I am coming in late on this topic and know very little about it,
But I have to ask, would it be possible to send fake information?
I know that they use many variables to create a mosaic to identify people.
So why not change several variables.  Create some randomness
and change several variables on an irregular basis.
I am sure this will not be the last salvo in the on going war of
identification, but
it may help for a while.

On Tue, May 7, 2013 at 10:27 PM, Moritz Bartl <moritz@xxxxxxxxxxxxxx> wrote:

> On 07.05.2013 20:38, Joe Btfsplk wrote:
> > TBB may have NoScript settings to not have checked "Forbid Flash"
> > because it doesn't contain Flash Player.
> >
> > What about WebGL being blocked by default in NoScript?  I thought this
> > was supposed to be a much safer (not a threat to Tor) than Flash?
> https://www.torproject.org/projects/torbrowser/design/
> "WebGL can reveal information about the video card in use, and high
> precision timing information can be used to fingerprint the CPU and
> interpreter speed."
> [...]
> The adversary simply renders WebGL, font, and named color data to a
> Canvas element, extracts the image buffer, and computes a hash of that
> image data. Subtle differences in the video card, font packs, and even
> font and graphics library versions allow the adversary to produce a
> stable, simple, high-entropy fingerprint of a computer. In fact, the
> hash of the rendered image can be used almost identically to a tracking
> cookie by the web server.
> [...]
> WebGL is fingerprintable both through information that is exposed about
> the underlying driver and optimizations, as well as through performance
> fingerprinting.
> Because of the large amount of potential fingerprinting vectors and the
> previously unexposed vulnerability surface, we deploy a similar strategy
> against WebGL as for plugins. "
> --
> Moritz Bartl
> https://www.torservers.net/
> _______________________________________________
> tor-talk mailing list
> tor-talk@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
tor-talk mailing list