[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] WebGL forbidden in NoScript but Flash is not?
On 5/7/2013 7:05 PM, Andrew F wrote:
I'm no expert on that. I'm fairly sure SOME of the info has to be
accurate in order for the video to play correctly (that's where my other
question about using standalone players comes in).
I am coming in late on this topic and know very little about it,
But I have to ask, would it be possible to send fake information?
I know that they use many variables to create a mosaic to identify people.
So why not change several variables. Create some randomness
and change several variables on an irregular basis.
I am sure this will not be the last salvo in the on going war of
it may help for a while.
On Tue, May 7, 2013 at 10:27 PM, Moritz Bartl <moritz@xxxxxxxxxxxxxx> wrote:
"WebGL can reveal information about the video card in use, and high
precision timing information can be used to fingerprint the CPU and
The adversary simply renders WebGL, font, and named color data to a
Canvas element, extracts the image buffer, and computes a hash of that
image data. Subtle differences in the video card, font packs, and even
font and graphics library versions allow the adversary to produce a
stable, simple, high-entropy fingerprint of a computer. In fact, the
hash of the rendered image can be used almost identically to a tracking
cookie by the web server.
WebGL is fingerprintable both through information that is exposed about
the underlying driver and optimizations, as well as through performance
Because of the large amount of potential fingerprinting vectors and the
previously unexposed vulnerability surface, we deploy a similar strategy
against WebGL as for plugins. "
But some of the info Moritz mentioned & other, could possibly be faked.
Just like they used to do w/ Fx & Opera, when they wouldn't work
correctly because websites recognized they weren't IE.
But, a simpler (if less convenient for some) solution might be to use
something that doesn't require sending or exposing that info. Which
means, not a built in web player.
tor-talk mailing list