[tor-talk] Evercookies / supercookies tracking & No Script whitelisting tracking sites
Mike Perry
mikeperry at torproject.org
Mon May 14 18:56:51 UTC 2012
The short answer is "Yes, we've looked into it. New Identity removes
evercookies."
The long answer is
https://www.torproject.org/projects/torbrowser/design/#new-identity and
https://www.torproject.org/projects/torbrowser/design/#identifier-linkability
The footnote is "Please help us test this shit in new releases. We just
had a race condition on the cache that allowed cache cookies to persist
for up to a minute after clicking New Identity (though they did go away
after that)."
https://trac.torproject.org/projects/tor/ticket/3846
https://trac.torproject.org/projects/tor/ticket/5715
Thus spake Joe Btfsplk (joebtfsplk at gmx.com):
> The most recent versions of TBB & No Script's default settings under
> Advanced>External filters, is not to block hulu.com, .youtube.com.
> The content type (I think) refers to shockwave|futuresplash. How -
> OR IF - No Script's blocking ability of "evercookies" w/ its
> settings as it ships w/ TBB & sites like * Hulu * that (at least in
> recent past) were * confirmed * by several privacy investigation
> projects to be using evercookie / Kissmetrics.com tracking cookie
> technology. These cookies are NOT blocked by disabling all cookies
> / all 3rd party cookies in Firefox. Even if they were, TBB ships w/
> allow all cookies enabled.
>
> One of the many ways / places (up to 12 - 15) that the js loaded
> evercookies can be placed is as an LSO / flash cookie. There are
> many other traditional & non traditional places these cookies are
> stored. AFAICT from reading research, these cookies CAN transmit
> data that could compromise Tor users' anonymity - as they certainly
> can in Firefox. They are also very difficult to del & "stay"
> deleted (thus, sometimes called Zombie cookies). Deleting cookies
> by "normal" means does NOT delete them.
>
> Numerous research reports that I've read say one of the only ways to
> block these is disable js for most sites (as in, using No Script),
> but that supposedly makes users more susceptible to fingerprinting,
> by only allowing certain sites to load js content. Yet Hulu was one
> of the worst offenders for using evercookies (I don't use Hulu,
> BTW), but is whitelisted in NoScript.
>
> Have Tor devs looked into THESE special types of cookies & if they
> potentially compromising anonymity or even increasing chances of
> fingerprinting, due to information they transmit about every site
> you visit?
> _______________________________________________
> tor-talk mailing list
> tor-talk at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
--
Mike Perry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20120514/40f591b2/attachment-0001.pgp>
More information about the tor-talk
mailing list