[tor-talk] Finger printing

Joe Btfsplk joebtfsplk at gmx.com
Thu May 9 21:20:29 UTC 2013 

On 5/9/2013 1:48 PM, Mike Perry wrote:
> You know, all you people who keep asking the same questions over and
> over again back-to-back in new threads for days on end could try
> Googling first.. It might be just a tad quicker.
>
> See:
> https://www.torproject.org/projects/torbrowser/design/#fingerprinting-linkability
> (which is result #3 for "tor browser fingerprinting" on startpage.com's
> Google results).
>
> tl;dr: We prevent read access to the HTML5 Canvas (which doubles as the
> WebGL rendering surface, among other things) to prevent video card,
> font, and other rendering differences from being extracted, hashed, and
> fingerprinted. If you go to certain obnoxious websites (such as
> https://github.com), you can see this defense in action.
>
> We also run WebGL in "minimal mode" which disables disable video card
> and driver-specific extensions, so that this information is not
> available to JS.
>
> Still, WebGL is still a huge beast with an unknown and previously
> unexposed vulnrability surface, which is why we still leave it
> click-to-play via NoScript.
>
> Thus spake Andrew F (andrewfriedman101 at gmail.com):
>
>> I don't believe that the Tor-button changes any of the variables that are
>> linked to the hardware.  And that is the key.
>>
>> What is the point of Tor if fingerprinting works.
>>
>>
>>
>> On Thu, May 9, 2013 at 4:08 PM, SiNA Rabbani <sina at redteam.io> wrote:
>>
>>> Tor Button provides certain protections already. That's why its important
>>> to use Tor properly. Tor Browser Bundle is shipped with Tor Button
>>> installed:
>>> https://www.torproject.org/torbutton/
>>>
>>> --SiNA
>>> On May 9, 2013 8:56 AM, "Andrew F" <andrewfriedman101 at gmail.com> wrote:
>>>
>>>> Some one in Tor-Dev said that finger printing of the system and video
>>> card
>>>> in particular allows someone to be tracked as well as having a cookie on
>>>> there system.
>>>>
>>>> That sound pretty serious to me.  Anyone working on this issue?
>>>>
>>>> Do we have any projects on obfuscating Finger print data?
>>>>
>>>> Seems like it should be a top priority.
>>>> _______________________________________________
>>>> tor-talk mailing list
>>>> tor-talk at lists.torproject.org
>>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>>>>
>>> _
Simma'... Do-uwn... a-now, Mike.:)  I think you misunderstood the OPs 
intent.  He wasn't talking just about WebGL.
If I understood (they can correct me), Tor documents & Tor and / or 
security gurus keep talking about "don't install a single additional 
extension, change browser fonts... or you'll be subject to browser 
finger printing."

OK.  His point was (I think), why MUST TBB users be subject to "someone" 
being able to get *ALL* of that info from TBB, that allows 
fingerprinting, upon the slightest changes?
I'm guessing he wants to know why TBB would give a real time zone or a 
lot of the other data mentioned, that don't SERIOUSLY impact page 
display, but makes fingerprinting easier?  Why not give out fake data or 
none, if it doesn't completely break pages?  Why not to the *extent 
possible*, all TBB users "show" the same data, or none - if it won't 
break pages?  And if it breaks a couple of pages out of many 1000's, so 
what.

Why is it necessary at all for TBB to divulge ALL installed plugins or 
extensions?  And many of the other data that were mentioned regarding 
fingerprinting?  Surely, all of these don't make or break whether a page 
displays.
If it's script related, why not block scripts that mine data non 
critical data, that doesn't affect page display?  (I have no idea how 
pages access every plugin you have installed, or why they're allow to).

More information about the tor-talk mailing list