[tor-talk] WebGL forbidden in NoScript but Flash is not?
Moritz Bartl
moritz at torservers.net
Tue May 7 22:27:32 UTC 2013
On 07.05.2013 20:38, Joe Btfsplk wrote:
> TBB may have NoScript settings to not have checked "Forbid Flash"
> because it doesn't contain Flash Player.
>
> What about WebGL being blocked by default in NoScript? I thought this
> was supposed to be a much safer (not a threat to Tor) than Flash?
https://www.torproject.org/projects/torbrowser/design/
"WebGL can reveal information about the video card in use, and high
precision timing information can be used to fingerprint the CPU and
interpreter speed."
[...]
The adversary simply renders WebGL, font, and named color data to a
Canvas element, extracts the image buffer, and computes a hash of that
image data. Subtle differences in the video card, font packs, and even
font and graphics library versions allow the adversary to produce a
stable, simple, high-entropy fingerprint of a computer. In fact, the
hash of the rendered image can be used almost identically to a tracking
cookie by the web server.
[...]
WebGL is fingerprintable both through information that is exposed about
the underlying driver and optimizations, as well as through performance
fingerprinting.
Because of the large amount of potential fingerprinting vectors and the
previously unexposed vulnerability surface, we deploy a similar strategy
against WebGL as for plugins. "
--
Moritz Bartl
https://www.torservers.net/
More information about the tor-talk
mailing list