[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] WebGL forbidden in NoScript but Flash is not?

On 5/7/2013 5:27 PM, Moritz Bartl wrote:


"WebGL can reveal information about the video card in use, and high
precision timing information can be used to fingerprint the CPU and
interpreter speed."
The adversary simply renders WebGL, font, and named color data to a
Canvas element, extracts the image buffer, and computes a hash of that
image data. Subtle differences in the video card, font packs, and even
font and graphics library versions allow the adversary to produce a
stable, simple, high-entropy fingerprint of a computer. In fact, the
hash of the rendered image can be used almost identically to a tracking
cookie by the web server.
WebGL is fingerprintable both through information that is exposed about
the underlying driver and optimizations, as well as through performance

Because of the large amount of potential fingerprinting vectors and the
previously unexposed vulnerability surface, we deploy a similar strategy
against WebGL as for plugins. "

OK, thanks for detailed reply. Now that the "adversary" has a fingerprint of my machine (therein lies the problem - the data being given out), unless they're the gubment & I'm a bad guy (or living in a represses society), what are they going to do w/ that info? In the real world, not, "theoretically, they could..." Let's assume I haven't done anything that falls under criminal court jurisdiction & very unlikely anything even falling under civil court jurisdiction.

This is good info to know. My wondering about another method of using a stand alone media player (not browser plugin) that plays Flash or WebGL content, & whether it avoids some of these issues, is in another post, today.
tor-talk mailing list