Accurate cross-browser fingerprinting is possible, researchers show

Discussion in 'privacy problems' started by Minimalist, Jan 17, 2017.

Page 2 of 2
  1. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    Reality, Feb 16, 2017
    #26
  2. Anonfame1

    Anonfame1 Registered Member

    Joined:
    May 25, 2016
    Posts:
    224
    Crap. First I've heard of this...

    What about an Arch host with a Whonix guest? TBB on Whonix, FF on Arch host.

    I've been considering setting up an Arch or Debian install as a host built very minimally, then setting up Whonix and a main VM under KVM. Am I to assume I should do: Arch host, Whonix (debian based), Fedora main? Maybe a debian host, Whonix (which couldnt be crosstracked since id never use a browser on the host), and Arch as a main VM? Assume everything will be FF based because I refuse to use Chrome/Chromium/Opera/etc...

    I have essentially decided to abandon Qubes for now, just because of "we plan to introduce with the release of Qubes 4 is to ditch paravirtualization (PV) technology and replace it with hardware-enforced memory virtualization..."; I too worry that hardware profiling might be easier with this change.

    Its pretty crazy how wicked the arms race is getting. I consider myself to be pretty well setup and well-informed, and then bam- I see this.
     
    Anonfame1, Feb 24, 2017
    #27
  3. guest

    guest Guest

    guest, Feb 24, 2017
    #28
  4. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    That would be one reason to replace Noscript with uMatrix. If you allow in Noscript, e.g., googleapis for 1st party domain bla.com (because it wouldn't work otherwise), it will be allowed for any other domain which uses googleapis. Not so in uMatrix: If you're using it with the domain-specific scope and allow googleapis for domain bla.com it will still be blocked for any other domain. I think that's a significant advantage privacy-wise.
     
    summerheat, Feb 24, 2017
    #29
  5. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Cool :) I didn't know that.
     
    mirimir, Feb 24, 2017
    #30
  6. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Yes, I use Canvas Defender. But I'm just saying, if you want to eliminate the possibility of cross-VM canvas fingerprinting, it's prudent to use different VM families, or different hosts. Sure, Tor browser blocks canvas fingerprinting. And Canvas Defender gives you spoofed fingerprints. But maybe a site can get around that.
     
    mirimir, Feb 24, 2017
    #31
  7. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    @Anonfame1 -- Debian hosts and VirtualBox Debian VMs running on them have different canvas fingerprints. Even if they're the same release. So they're obviously using the same graphics hardware, and perhaps (naively) the same graphics driver. So I don't know why they have different canvas fingerprints.

    Although VirtualBox doesn't paravirtualize graphics hardware by default, it also doesn't do direct GPU pass-through by default. So maybe that's it. Or maybe Debian (also) uses a different graphics driver, because the GPU seems different.

    So anyway, Arch and Whonix would be fine on Debian hosts. Or PC-BSD or Fedora plus Whonix.
     
    mirimir, Feb 24, 2017
    #32
Page 2 of 2
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...