[tor-talk] Evercookies / supercookies tracking & No Script whitelisting tracking sites

Mike Perry mikeperry at torproject.org
Mon May 14 18:56:51 UTC 2012


The short answer is "Yes, we've looked into it. New Identity removes
evercookies."

The long answer is
https://www.torproject.org/projects/torbrowser/design/#new-identity and
https://www.torproject.org/projects/torbrowser/design/#identifier-linkability

The footnote is "Please help us test this shit in new releases. We just
had a race condition on the cache that allowed cache cookies to persist
for up to a minute after clicking New Identity (though they did go away
after that)."
https://trac.torproject.org/projects/tor/ticket/3846
https://trac.torproject.org/projects/tor/ticket/5715

Thus spake Joe Btfsplk (joebtfsplk at gmx.com):

> The most recent versions of TBB & No Script's default settings under
> Advanced>External filters, is not to block hulu.com, .youtube.com.
> The content type (I think) refers to shockwave|futuresplash.  How -
> OR IF - No Script's blocking ability of "evercookies" w/ its
> settings as it ships w/ TBB & sites like * Hulu * that (at least in
> recent past) were * confirmed * by several privacy investigation
> projects to be using evercookie / Kissmetrics.com tracking cookie
> technology.  These cookies are NOT blocked by disabling all cookies
> / all 3rd party cookies in Firefox.  Even if they were, TBB ships w/
> allow all cookies enabled.
> 
> One of the many ways / places (up to 12 - 15) that the js loaded
> evercookies can be placed is as an LSO / flash cookie.  There are
> many other traditional & non traditional places these cookies are
> stored.  AFAICT from reading research, these cookies CAN transmit
> data that could compromise Tor users' anonymity - as they certainly
> can in Firefox.  They are also very difficult to del & "stay"
> deleted (thus, sometimes called Zombie cookies).  Deleting cookies
> by "normal" means does NOT delete them.
> 
> Numerous research reports that I've read say one of the only ways to
> block these is disable js for most sites (as in, using No Script),
> but that supposedly makes users more susceptible to fingerprinting,
> by only allowing certain sites to load js content.  Yet Hulu was one
> of the worst offenders for using evercookies (I don't use Hulu,
> BTW), but is whitelisted in NoScript.
> 
> Have Tor devs looked into THESE special types of cookies & if they
> potentially compromising anonymity or even increasing chances of
> fingerprinting, due to information they transmit about every site
> you visit?
> _______________________________________________
> tor-talk mailing list
> tor-talk at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

-- 
Mike Perry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20120514/40f591b2/attachment-0001.pgp>


More information about the tor-talk mailing list