[Webkit-unassigned] [Bug 41801] 'Tracking-Resistant' Browsing

Wed Jul 14 09:57:51 PDT 2010

https://bugs.webkit.org/show_bug.cgi?id=41801

Mattias Nissler <mnissler at chromium.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |mnissler at chromium.org

--- Comment #6 from Mattias Nissler <mnissler at chromium.org>  2010-07-14 09:57:50 PST ---

> Here are some:
> 
> - Fuzzing the JS Date object to prevent fingerprinting based on 'typing cadence'.
>   http://arstechnica.com/tech-policy/news/2010/02/firm-uses-typing-cadence-to-finger-unauthorized-users.ars
> - The window.screen object is quite revealing.
>   (https://bugzilla.mozilla.org/show_bug.cgi?id=418986)
> - Enumerating fonts through calls to a flash plugin can provide quite distinctive results
> - Enumerating plugins likewise
> - Uniform user-agent headers and navigator object values.
> - Third-party cookie handling needs to be stricter if you're in tracking-resistance mode

What are your approaches for solving/mitigating these issues? Sorting fonts and plugin lists is a possibility, but that only reduces entropy, so they are still useful for fingerprinting. Even if you remove the font list, an attacker could still have the browser render strings in popular fonts and test for the size of the corresponding elements in order to test whether the font is installed.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.