Tor Users Isolated and Deanonymized via Hardware Data and Leaky Javascript - Proof of Concept

Discussion in 'The Pub (Off topic discussion)' started by drmike, Mar 10, 2016.

  1. drmike

    drmike 100% Tier-1 Gogent

    May 13, 2013
    Excellent security dev here done by this gent to show weakness in Tor.

    Simply said, bits of data available even with Tor bundled browser originating from mouse and other hardware.  Enough to make you think plausible to use such to identify user as being the same user seen elsewhere. Over time, who knows more data and more screwed.

    Screams for more emphasis in general on dumping javascript and severely limiting viewing methods if you are sane and inclined to care about being profiled and silo'd.


    During the last weeks I have been able to fingerprint tor browser users in controlled environments and I think it could be interesting to share all the findings for further discussion and to improve tor browser.

    All the provided fingerprinting methods are based on javascript (enabled by default in tor browser as of today). I have created a quick and dirty PoC called UberCookie available as a demo here:

    Try ubercookie :

    Last edited by a moderator: Mar 10, 2016
    graeme likes this.