[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] WebGL forbidden in NoScript but Flash is not?

What is tor doing about finger printing?
Is there a project to deal with that?

On Wed, May 8, 2013 at 12:13 AM, Joe Btfsplk <joebtfsplk@xxxxxxx> wrote:

> On 5/7/2013 5:27 PM, Moritz Bartl wrote:
>> https://www.torproject.org/**projects/torbrowser/design/<https://www.torproject.org/projects/torbrowser/design/>
>> "WebGL can reveal information about the video card in use, and high
>> precision timing information can be used to fingerprint the CPU and
>> interpreter speed."
>> [...]
>> The adversary simply renders WebGL, font, and named color data to a
>> Canvas element, extracts the image buffer, and computes a hash of that
>> image data. Subtle differences in the video card, font packs, and even
>> font and graphics library versions allow the adversary to produce a
>> stable, simple, high-entropy fingerprint of a computer. In fact, the
>> hash of the rendered image can be used almost identically to a tracking
>> cookie by the web server.
>> [...]
>> WebGL is fingerprintable both through information that is exposed about
>> the underlying driver and optimizations, as well as through performance
>> fingerprinting.
>> Because of the large amount of potential fingerprinting vectors and the
>> previously unexposed vulnerability surface, we deploy a similar strategy
>> against WebGL as for plugins. "
>>  OK, thanks for detailed reply.  Now that the "adversary" has a
> fingerprint of my machine (therein lies the problem - the data being given
> out), unless they're the gubment & I'm a bad guy (or living in a represses
> society), what are they going to do w/ that info?  In the real world, not,
> "theoretically, they could..."  Let's assume I haven't done anything that
> falls under criminal court jurisdiction & very unlikely anything even
> falling under civil court jurisdiction.
> This is good info to know.  My wondering about another method of using a
> stand alone media player (not browser plugin) that plays Flash or WebGL
> content, & whether it avoids some of these issues, is in another post,
> today.
> ______________________________**_________________
> tor-talk mailing list
> tor-talk@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/**cgi-bin/mailman/listinfo/tor-**talk<https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>
tor-talk mailing list