[tor-talk] Evercookies / supercookies tracking & No Script whitelisting tracking sites

Joe Btfsplk joebtfsplk at gmx.com
Mon May 14 20:29:22 UTC 2012 

On 5/14/2012 1:56 PM, Mike Perry wrote:
> The short answer is "Yes, we've looked into it. New Identity removes
> evercookies."
>
> The long answer is
> https://www.torproject.org/projects/torbrowser/design/#new-identity and
> https://www.torproject.org/projects/torbrowser/design/#identifier-linkability
>
> The footnote is "Please help us test this shit in new releases. We just
> had a race condition on the cache that allowed cache cookies to persist
> for up to a minute after clicking New Identity (though they did go away
> after that)."
> https://trac.torproject.org/projects/tor/ticket/3846
> https://trac.torproject.org/projects/tor/ticket/5715
How, pray tell, does clicking New Identity remove evercookies from 12 - 
15 possible locations?  The cache isn't the only place evercookies can 
be stored.  How does it remove ANY cookies at all?  Does that 
necessarily clear LSOs, clear different locations HTML5 data can be 
stored - like delete webappstore.sqlite - (even if you've not viewed 
HTML5 media, the cookies can still be place there), or all other known 
locations evercookies can be placed (so far)?  I never heard or read 
that feature when using New Identity.  Was I absent that day or were we 
waiting for just the right time for a big announcement?
>
> Thus spake Joe Btfsplk (joebtfsplk at gmx.com):
>
>> The most recent versions of TBB&  No Script's default settings under
>> Advanced>External filters, is not to block hulu.com, .youtube.com.
>> The content type (I think) refers to shockwave|futuresplash.  How -
>> OR IF - No Script's blocking ability of "evercookies" w/ its
>> settings as it ships w/ TBB&  sites like * Hulu * that (at least in
>> recent past) were * confirmed * by several privacy investigation
>> projects to be using evercookie / Kissmetrics.com tracking cookie
>> technology.  These cookies are NOT blocked by disabling all cookies
>> / all 3rd party cookies in Firefox.  Even if they were, TBB ships w/
>> allow all cookies enabled.
>>
>> One of the many ways / places (up to 12 - 15) that the js loaded
>> evercookies can be placed is as an LSO / flash cookie.  There are
>> many other traditional&  non traditional places these cookies are
>> stored.  AFAICT from reading research, these cookies CAN transmit
>> data that could compromise Tor users' anonymity - as they certainly
>> can in Firefox.  They are also very difficult to del&  "stay"
>> deleted (thus, sometimes called Zombie cookies).  Deleting cookies
>> by "normal" means does NOT delete them.
>>
>> Numerous research reports that I've read say one of the only ways to
>> block these is disable js for most sites (as in, using No Script),
>> but that supposedly makes users more susceptible to fingerprinting,
>> by only allowing certain sites to load js content.  Yet Hulu was one
>> of the worst offenders for using evercookies (I don't use Hulu,
>> BTW), but is whitelisted in NoScript.
>>
>> Have Tor devs looked into THESE special types of cookies&  if they
>> potentially compromising anonymity or even increasing chances of
>> fingerprinting, due to information they transmit about every site
>> you visit?
>> _______________________________________________
>> tor-talk mailing list
>> tor-talk at lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
>
> _______________________________________________
> tor-talk mailing list
> tor-talk at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

More information about the tor-talk mailing list