[tor-talk] WebGL forbidden in NoScript but Flash is not?

Joe Btfsplk joebtfsplk at gmx.com
Wed May 8 02:37:49 UTC 2013


On 5/7/2013 7:05 PM, Andrew F wrote:
> I am coming in late on this topic and know very little about it,
> But I have to ask, would it be possible to send fake information?
> I know that they use many variables to create a mosaic to identify people.
> So why not change several variables.  Create some randomness
> and change several variables on an irregular basis.
> I am sure this will not be the last salvo in the on going war of
> identification, but
> it may help for a while.
>
>
>
> On Tue, May 7, 2013 at 10:27 PM, Moritz Bartl <moritz at torservers.net> wrote:
>
>> https://www.torproject.org/projects/torbrowser/design/
>>
>> "WebGL can reveal information about the video card in use, and high
>> precision timing information can be used to fingerprint the CPU and
>> interpreter speed."
>> [...]
>> The adversary simply renders WebGL, font, and named color data to a
>> Canvas element, extracts the image buffer, and computes a hash of that
>> image data. Subtle differences in the video card, font packs, and even
>> font and graphics library versions allow the adversary to produce a
>> stable, simple, high-entropy fingerprint of a computer. In fact, the
>> hash of the rendered image can be used almost identically to a tracking
>> cookie by the web server.
>> [...]
>> WebGL is fingerprintable both through information that is exposed about
>> the underlying driver and optimizations, as well as through performance
>> fingerprinting.
>>
>> Because of the large amount of potential fingerprinting vectors and the
>> previously unexposed vulnerability surface, we deploy a similar strategy
>> against WebGL as for plugins. "
>>
>>
I'm no expert on that.  I'm fairly sure SOME of the info has to be 
accurate in order for the video to play correctly (that's where my other 
question about using standalone players comes in).

But some of the info Moritz mentioned & other, could possibly be faked.  
Just like they used to do w/ Fx & Opera, when they wouldn't work 
correctly because websites recognized they weren't IE.

But, a simpler (if less convenient for some) solution might be to use 
something that doesn't require sending or exposing that info. Which 
means, not a built in web player.


More information about the tor-talk mailing list