[tor-talk] WebGL forbidden in NoScript but Flash is not?
Joe Btfsplk
joebtfsplk at gmx.com
Wed May 8 00:13:07 UTC 2013
On 5/7/2013 5:27 PM, Moritz Bartl wrote:
>
> https://www.torproject.org/projects/torbrowser/design/
>
> "WebGL can reveal information about the video card in use, and high
> precision timing information can be used to fingerprint the CPU and
> interpreter speed."
> [...]
> The adversary simply renders WebGL, font, and named color data to a
> Canvas element, extracts the image buffer, and computes a hash of that
> image data. Subtle differences in the video card, font packs, and even
> font and graphics library versions allow the adversary to produce a
> stable, simple, high-entropy fingerprint of a computer. In fact, the
> hash of the rendered image can be used almost identically to a tracking
> cookie by the web server.
> [...]
> WebGL is fingerprintable both through information that is exposed about
> the underlying driver and optimizations, as well as through performance
> fingerprinting.
>
> Because of the large amount of potential fingerprinting vectors and the
> previously unexposed vulnerability surface, we deploy a similar strategy
> against WebGL as for plugins. "
>
OK, thanks for detailed reply. Now that the "adversary" has a
fingerprint of my machine (therein lies the problem - the data being
given out), unless they're the gubment & I'm a bad guy (or living in a
represses society), what are they going to do w/ that info? In the real
world, not, "theoretically, they could..." Let's assume I haven't done
anything that falls under criminal court jurisdiction & very unlikely
anything even falling under civil court jurisdiction.
This is good info to know. My wondering about another method of using a
stand alone media player (not browser plugin) that plays Flash or WebGL
content, & whether it avoids some of these issues, is in another post,
today.
More information about the tor-talk
mailing list