[tor-talk] Evercookies / supercookies tracking & No Script whitelisting tracking sites

Praedor Tempus praedor at yahoo.com
Mon May 14 18:58:11 UTC 2012

OK, this sort of thing has me wondering if the only way to safely use tor is in a virtual machine.  Would this not seem to be the case?  Who cares if Hulu or Youtube gets your IP address if it is a bogus VM IP address rather than your real one?  They get to see either your tor IP or the IP of your VM and nothing else.  

Perhaps tor should move to a tor browser VM instead of just an app?

 From: Joe Btfsplk <joebtfsplk at gmx.com>
To: Tor-Talk <tor-talk at lists.torproject.org> 
Sent: Monday, May 14, 2012 2:15 PM
Subject: [tor-talk] Evercookies / supercookies tracking & No Script whitelisting tracking sites
The most recent versions of TBB & No Script's default settings under Advanced>External filters, is not to block hulu.com, .youtube.com.  The content type (I think) refers to shockwave|futuresplash.  How - OR IF - No Script's blocking ability of "evercookies" w/ its settings as it ships w/ TBB & sites like * Hulu * that (at least in recent past) were * confirmed * by several privacy investigation projects to be using evercookie / Kissmetrics.com tracking cookie technology.  These cookies are NOT blocked by disabling all cookies / all 3rd party cookies in Firefox.  Even if they were, TBB ships w/ allow all cookies enabled.

One of the many ways / places (up to 12 - 15) that the js loaded evercookies can be placed is as an LSO / flash cookie.  There are many other traditional & non traditional places these cookies are stored.  AFAICT from reading research, these cookies CAN transmit data that could compromise Tor users' anonymity - as they certainly can in Firefox.  They are also very difficult to del & "stay" deleted (thus, sometimes called Zombie cookies).  Deleting cookies by "normal" means does NOT delete them.

Numerous research reports that I've read say one of the only ways to block these is disable js for most sites (as in, using No Script), but that supposedly makes users more susceptible to fingerprinting, by only allowing certain sites to load js content.  Yet Hulu was one of the worst offenders for using evercookies (I don't use Hulu, BTW), but is whitelisted in NoScript.

Have Tor devs looked into THESE special types of cookies & if they potentially compromising anonymity or even increasing chances of fingerprinting, due to information they transmit about every site you visit?
tor-talk mailing list
tor-talk at lists.torproject.org

More information about the tor-talk mailing list