[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] Finger printing
On 5/9/2013 1:48 PM, Mike Perry wrote:
Simma'... Do-uwn... a-now, Mike.:) I think you misunderstood the OPs
intent. He wasn't talking just about WebGL.
If I understood (they can correct me), Tor documents & Tor and / or
security gurus keep talking about "don't install a single additional
extension, change browser fonts... or you'll be subject to browser
You know, all you people who keep asking the same questions over and
over again back-to-back in new threads for days on end could try
Googling first.. It might be just a tad quicker.
(which is result #3 for "tor browser fingerprinting" on startpage.com's
tl;dr: We prevent read access to the HTML5 Canvas (which doubles as the
WebGL rendering surface, among other things) to prevent video card,
font, and other rendering differences from being extracted, hashed, and
fingerprinted. If you go to certain obnoxious websites (such as
https://github.com), you can see this defense in action.
We also run WebGL in "minimal mode" which disables disable video card
and driver-specific extensions, so that this information is not
available to JS.
Still, WebGL is still a huge beast with an unknown and previously
unexposed vulnrability surface, which is why we still leave it
click-to-play via NoScript.
Thus spake Andrew F (andrewfriedman101@xxxxxxxxx):
I don't believe that the Tor-button changes any of the variables that are
linked to the hardware. And that is the key.
What is the point of Tor if fingerprinting works.
On Thu, May 9, 2013 at 4:08 PM, SiNA Rabbani <sina@xxxxxxxxxx> wrote:
Tor Button provides certain protections already. That's why its important
to use Tor properly. Tor Browser Bundle is shipped with Tor Button
On May 9, 2013 8:56 AM, "Andrew F" <andrewfriedman101@xxxxxxxxx> wrote:
Some one in Tor-Dev said that finger printing of the system and video
in particular allows someone to be tracked as well as having a cookie on
That sound pretty serious to me. Anyone working on this issue?
Do we have any projects on obfuscating Finger print data?
Seems like it should be a top priority.
tor-talk mailing list
OK. His point was (I think), why MUST TBB users be subject to "someone"
being able to get *ALL* of that info from TBB, that allows
fingerprinting, upon the slightest changes?
I'm guessing he wants to know why TBB would give a real time zone or a
lot of the other data mentioned, that don't SERIOUSLY impact page
display, but makes fingerprinting easier? Why not give out fake data or
none, if it doesn't completely break pages? Why not to the *extent
possible*, all TBB users "show" the same data, or none - if it won't
break pages? And if it breaks a couple of pages out of many 1000's, so
Why is it necessary at all for TBB to divulge ALL installed plugins or
extensions? And many of the other data that were mentioned regarding
fingerprinting? Surely, all of these don't make or break whether a page
If it's script related, why not block scripts that mine data non
critical data, that doesn't affect page display? (I have no idea how
pages access every plugin you have installed, or why they're allow to).
tor-talk mailing list