[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Finger printing



On 5/9/2013 1:48 PM, Mike Perry wrote:
You know, all you people who keep asking the same questions over and
over again back-to-back in new threads for days on end could try
Googling first.. It might be just a tad quicker.

See:
https://www.torproject.org/projects/torbrowser/design/#fingerprinting-linkability
(which is result #3 for "tor browser fingerprinting" on startpage.com's
Google results).

tl;dr: We prevent read access to the HTML5 Canvas (which doubles as the
WebGL rendering surface, among other things) to prevent video card,
font, and other rendering differences from being extracted, hashed, and
fingerprinted. If you go to certain obnoxious websites (such as
https://github.com), you can see this defense in action.

We also run WebGL in "minimal mode" which disables disable video card
and driver-specific extensions, so that this information is not
available to JS.

Still, WebGL is still a huge beast with an unknown and previously
unexposed vulnrability surface, which is why we still leave it
click-to-play via NoScript.

Thus spake Andrew F (andrewfriedman101@xxxxxxxxx):

I don't believe that the Tor-button changes any of the variables that are
linked to the hardware.  And that is the key.

What is the point of Tor if fingerprinting works.



On Thu, May 9, 2013 at 4:08 PM, SiNA Rabbani <sina@xxxxxxxxxx> wrote:

Tor Button provides certain protections already. That's why its important
to use Tor properly. Tor Browser Bundle is shipped with Tor Button
installed:
https://www.torproject.org/torbutton/

--SiNA
On May 9, 2013 8:56 AM, "Andrew F" <andrewfriedman101@xxxxxxxxx> wrote:

Some one in Tor-Dev said that finger printing of the system and video
card
in particular allows someone to be tracked as well as having a cookie on
there system.

That sound pretty serious to me.  Anyone working on this issue?

Do we have any projects on obfuscating Finger print data?

Seems like it should be a top priority.
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

_
Simma'... Do-uwn... a-now, Mike.:) I think you misunderstood the OPs intent. He wasn't talking just about WebGL. If I understood (they can correct me), Tor documents & Tor and / or security gurus keep talking about "don't install a single additional extension, change browser fonts... or you'll be subject to browser finger printing."

OK. His point was (I think), why MUST TBB users be subject to "someone" being able to get *ALL* of that info from TBB, that allows fingerprinting, upon the slightest changes? I'm guessing he wants to know why TBB would give a real time zone or a lot of the other data mentioned, that don't SERIOUSLY impact page display, but makes fingerprinting easier? Why not give out fake data or none, if it doesn't completely break pages? Why not to the *extent possible*, all TBB users "show" the same data, or none - if it won't break pages? And if it breaks a couple of pages out of many 1000's, so what.

Why is it necessary at all for TBB to divulge ALL installed plugins or extensions? And many of the other data that were mentioned regarding fingerprinting? Surely, all of these don't make or break whether a page displays. If it's script related, why not block scripts that mine data non critical data, that doesn't affect page display? (I have no idea how pages access every plugin you have installed, or why they're allow to).
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk