[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #30436 [Applications/Tor Browser]: Visit duration tracking possible in TorBrowser using a favicon which downloads from a server using a connection that's never closed
#30436: Visit duration tracking possible in TorBrowser using a favicon which
downloads from a server using a connection that's never closed
--------------------------------------+-----------------------------------
Reporter: ehsan.akhgari@… | Owner: tbb-team
Type: defect | Status: needs_information
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+-----------------------------------
Changes (by gk):
* status: new => needs_information
* owner: (none) => tbb-team
* component: - Select a component => Applications/Tor Browser
Comment:
So, right now I wonder what we should do here and what the threat is. It
does seem to me that this technique is a problem for cross-origin tracking
with identifiers which we try to defend with First Party Isolation
against. But it does not seem to be a fingerprinting technique either.
Moreover, what's the threat here? A malicious first party domain a user is
interacting with. What would it gain by measuring the page visit time with
that technique? How would it single out me be it either during a
particular session of across sessions with _just_ the scenario described
in the links in your description (however, I admit this is a neat idea :)
).
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30436#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs