[tor-bugs] #12715 [Tor Browser]: Treat fingerprinting fixes like other security fixes: trigger TBB release

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Jul 28 12:35:32 UTC 2014


#12715: Treat fingerprinting fixes like other security fixes: trigger TBB release
-----------------------------+--------------------------------
     Reporter:  cypherpunks  |      Owner:  tbb-team
         Type:  task         |     Status:  new
     Priority:  normal       |  Milestone:
    Component:  Tor Browser  |    Version:
   Resolution:               |   Keywords:  tbb-fingerprinting
Actual Points:               |  Parent ID:
       Points:               |
-----------------------------+--------------------------------

Comment (by cypherpunks):

 Fair enough, but it can be labor intensive find out how much entropy is
 leaked. For example, does #9881 give you

 - "Only" the screen size?
 - Clues about the OS / desktop environment / window manager (not all allow
 oversized windows)?
 - The OS / desktop environment toolbar size?

 Evaluating a bug's severity would involve writing a custom-tailored,
 robust to the point of almost being weaponized, fingerprinter. Assuming
 that TBB development had the manpower to do that, then after even more
 days spent on that we find out that it really is serious. Oops...

 I feel like the question "Does this fingerprinting bug ''really'' have
 high entropy?" is analogous "Does this free-after-use or whatever
 ''really'' give someone remote code execution?" in that it may usually be
 more realistic to just assume "yes" and start the release build.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12715#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list