[tor-bugs] #6041 [TorBrowserButton]: Review rendering-based fingerprinting vectors

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Wed Jun 13 19:19:39 UTC 2012 

#6041: Review rendering-based fingerprinting vectors
------------------------------+---------------------------------------------
 Reporter:  gk                |          Owner:  mikeperry
     Type:  defect            |         Status:  new      
 Priority:  major             |      Milestone:           
Component:  TorBrowserButton  |        Version:           
 Keywords:  MikePerry201206   |         Parent:           
   Points:  2                 |   Actualpoints:           
------------------------------+---------------------------------------------

Comment(by gk):

 Replying to [comment:3 mikeperry]:
 > Ok, few thoughts on the paper first:
 >
 > 1. For the most part, I like this paper. It's reasonable and well
 written, has a decently thought-out defenses section, and doesn't make
 ridiculously outlandish claims.
 > 2. We still need source code to reproduce the results. It doesn't look
 like they tested WebGL "Minimal Mode", and we'll also want to do our own
 testing too.

 https://github.com/kmowery/canvas-fingerprinting

 > 3. It is probably too early in the fingerprinting defenses game to bend
 over backwards to try to fully conceal OS for this specific vector. OS is
 likely to leak a ton of different ways. We should go after lower hanging
 fruit first, until more light is shown upon the threat landscape.

 I fully agree with 1.-3.

 > 4. Their concluding rhetorical question about fingerprints being
 unavoidable on the modern web is nonsense. Computers are mass produced,
 and are virtualizable. Even in the worst-case scenario, we can provide an
 anonymity set roughly equivalent to OS and graphics card userbase size.
 Most likely, we can do quite a bit better than that, especially if we
 leave WebGL click-to-play.

 Well, I read it in this way that they fear we'll loose in the long run
 because new fingerprintable features are added faster than we can fix
 them. But that remains to be seen...

 > Now, thoughts on defenses:
 > I think the "Prompt for canvas image extraction" defense is probably the
 best option for now due to implementation effort

 +1

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/6041#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list