科技回声

9 条评论

gburt大约 9 年前

>The most intersting fingerprinting vector I found on Tor Browser is getClientRects. Is strange that reading back from a canvas has been prevented but simply asking the browser javascript API how a specific DOM elements has been drawn on the screen has not been prevented or protected in any way.This isn't as strange as he makes it sound, it is done to prevent the link color history attack [1]. Most of the other CSS properties aren't allowed on :active or :visited modifiers.[1] <a href="http://dbaron.org/mozilla/visited-privacy" rel="nofollow">http://dbaron.org/mozilla/visited-privacy</a>

ycmbntrthrwaway大约 9 年前

Unless JavaScript is disabled, this arms race is going to continue forever.

评论 #11237449 未加载

评论 #11236660 未加载

评论 #11235750 未加载

lucb1e大约 9 年前

Lots of ideas, many of which I've had as well, but I am missing conclusions. On the demo page it tells me my CPU benchmark and some scrolling measurements. Great, but how unique was that now? And how are you going to make the data points into a fingerprint? Because next time I scroll, I will totally scroll a millisecond differently.

评论 #11237760 未加载

评论 #11236280 未加载

mirimir大约 9 年前

I don't believe that any of these will link different Whonix instances on the same host machine. Using Tor browser in the same OS that you use for general work is not secure. Even sharing the same host machine is insecure, where anonymity really matters.

bugmen0t大约 9 年前

The author is missing the point of the Tor Browser. They don't try to make fingerprinting impossible. They want to make the outcome uniform across all users. See "Strategies for Defense: Randomization versus Uniformity" in their design docs [1].And (as other said) uniformity is increased when using an anonymous/privacy enhancing operating system like Tails or WHONIX underneath.[1] <a href="https://www.torproject.org/projects/torbrowser/design/#fingerprinting-linkability" rel="nofollow">https://www.torproject.org/projects/torbrowser/design/#finge...</a>

em3rgent0rdr大约 9 年前

Most of these are nullified by disabling JavaScript.

gavazzy大约 9 年前

Disable javascript. Disable user-agent. Run from VM.

Paul_S大约 9 年前

Demo does nothing for me. I'm dubious how repeatable or unique those results are.

akavel大约 9 年前

Did the author of the article submit his findings to the Tor Project?

评论 #11235708 未加载

评论 #11236316 未加载

评论 #11237021 未加载

9 条评论

gburt大约 9 年前

ycmbntrthrwaway大约 9 年前

Unless JavaScript is disabled, this arms race is going to continue forever.

评论 #11237449 未加载

评论 #11236660 未加载

评论 #11235750 未加载

lucb1e大约 9 年前

评论 #11237760 未加载

评论 #11236280 未加载

mirimir大约 9 年前

bugmen0t大约 9 年前

em3rgent0rdr大约 9 年前

Most of these are nullified by disabling JavaScript.

gavazzy大约 9 年前

Disable javascript. Disable user-agent. Run from VM.

Paul_S大约 9 年前

Demo does nothing for me. I'm dubious how repeatable or unique those results are.

Advanced Tor Browser Fingerprinting

9 条评论

Advanced Tor Browser Fingerprinting

9 条评论