HN

Need help?
<- Back
We found a stable Firefox identifier linking all your private Tor identities

We found a stable Firefox identifier linking all your private Tor identities

danpinto

Comments (92)

  • lpapez
    Very cool research and wonderfully written.I was expecting an ad for their product somewhere towards the end, but it wasn't there!I do wonder though: why would this company report this vulnerability to Mozilla if their product is fingeprinting?Isn't it better for the business (albeit unethical) to keep the vulnerability private, to differentiate from the competitors? For example, I don't see many threat actors burning their zero days through responsible disclosure!
  • firefax
    The OP's link is timing out over Tor for me, but the Wayback[1] version loaded without issue.Also, does anyone know of any researchers in the academic world focusing on this issue? We are aware that EFF has a project that used to be named after a pedophile on this subject, but we are more looking for professors at universities or pure research labs ala MSR or PARC than activists working for NGOs, however pure their praxis :-)As privacy geeks, we have become fascinated with the topic -- it seems that while we can achieve security through extensions like noscript or ublock origin or firefox containers (our personal "holy trinity"), anonymity slips through our fingers due to fingerprinting issues. (Especially if we lump stylometry in the big bucket of "fingerprinting".)[1] https://web.archive.org/web/20260422190706/https://fingerpri...
  • yencabulator
    > the identifier can also persist [...] as long as the Firefox process remains runningMake sure to exit Tor Browser at the end of a session. Make sure not to mix two uses in one session.
  • SirMaster
    I question why websites can even access all this info without asking or notifying the user.Why don't browsers make it like phones where the server (app) has to be granted permission to access stuff?
  • bawolff
    From the sounds of this it sounds like it doesn't persist past browser restart? I think that would significantly reduce the usefulness to attackers.
  • codedokode
    Honestly it seems that most of Web Standards are used mostly for fingerprinting - I think a small number of websites uses IndexedDB (who even needs it) for actually storing data rather than fingerprinting.That's why expansion of web standards is wrong. Browser should provide minimal APIs for interacting with device and features like IndexedDB can be implemented as WebAssembly library, leaking no valuable data.For example, if canvas provided only access to picture buffer, and no drawing routines calling into platform-specific libraries, it would become useless for fingerprinting.
  • wolvoleo
    Tails (without persistent storage) will mitigate this though. I'm not too concerned.
  • Meneth
    I'm confused.The IndexedDB UUID is "shared across all origins", so why not use the contents of the database to identify browers, rather than the ordering?
  • sva_
    Does Tor Browser still allow JavaScript by default? Because if you block execution of JavaScript, you won't be affected from what I understand.
  • anon
    undefined
  • crazysim
    I would imagine most users of Tor are using Tor Browser. I am reading there was a responsible disclosure to Mozilla but is it me or did that section leave out when the Tor Project planned to respond or release a fixed Tor Browser? Do they like keep very close or is there a large lag?
  • anthk
    The best for Tor would just be Links2/Links+ with the socks4a proxy set to 127.0.0.1:9050, enforcing all connection thru a proxy in the settings (mark the checkbox) and disabling cookies altogether.
  • fsflover
    It seems Qubes OS and Qubes-Whonix are not affected.
  • LoganDark
    > For developers, this is a useful reminder that privacy bugs do not always come from direct access to identifying data. Sometimes they come from deterministic exposure of internal implementation details.> For security and product stakeholders, the key point is simple: even an API that appears harmless can become a cross-site tracking vector if it leaks stable process-level state.This reads almost LLM-ish. The article on the whole does not appear so, but parts of it do.
  • shevy-java
    Well that sucks. I guess in the long run we need a new engine and different approach. Someone should call the OpenBSD guys to come up with working ideas here.