[tor-talk] WebGL forbidden in NoScript but Flash is not?
Joe Btfsplk
joebtfsplk at gmx.com
Fri May 10 18:34:27 UTC 2013
On 5/8/2013 3:01 PM, lucia at rankexploits.com wrote:
>> Date: Wed, 8 May 2013 08:57:48 +0200
>> From: Lunar <lunar at torproject.org>
>> To: tor-talk at lists.torproject.org
>> Subject: Re: [tor-talk] WebGL forbidden in NoScript but Flash is not?
>> Message-ID: <20130508065748.GA975 at loar>
>> Content-Type: text/plain; charset="us-ascii"
>>
>> This means that the anonymity is broken. Your browser can be uniquely
>> identified among the others. In a repeated manner, across Tor circuits,
>> Tor Browser sessions and system reboots.
>>
>> --
>> Lunar
> Here's a likely example of what Lunar is talking about. If you visit this
> link you will be presented a survey form.
> http://survey.gci.uq.edu.au/survey.php?c=1R9YT8YMZTWF
>
> The javascript for that page creates a string listing:
> 1) every plugin for your browser
> 2) fonts that match his list of fonts.
> 3) The screen height of your system
> 4) the screen width of your system.
> 5) the timezone offset.
> 6) a timestamp:randomnumber string.
>
> These strings added to hidden input fields and submitted to the browser
> when someone agrees to participate.
>
> The person doing the survey is likely collecting browser fingerprints to
> identify duplicate entries by people using proxies. That person
> conducting the research is simultaneously the researcher and a blogger who
> has been known to express quite a bit of hostility toward category of
> human subjects he has invited to participate in his survey.
>
> Obviously, fingerprints when collected are used for whatever purpose the
> person collecting them wishes to use them form.
>
OK, lucia. Not sure, but guessing the link you gave & the type info the
script obtains is talking about regular browsers - not TBB.
As Mike Perry pointed out in the link
https://www.torproject.org/projects/torbrowser/design/#fingerprinting-linkability,
many of these things ARE either NOT allowed to be accessed by sites or
certain info is faked, in all TBBs. Like time zone:
> 7. Timezone and clock offset *Design Goal:* All Tor Browser users MUST
> report the same timezone to websites. ...
Reading the entire doc, it appears many of the data that might be
available for fingerprinting in normal Fx are either blocked, faked or
obfuscated in some way.
More information about the tor-talk
mailing list