amuck-landowner

Tor Users Isolated and Deanonymized via Hardware Data and Leaky Javascript - Proof of Concept

drmike

100% Tier-1 Gogent
Excellent security dev here done by this gent to show weakness in Tor.


Simply said, bits of data available even with Tor bundled browser originating from mouse and other hardware.  Enough to make you think plausible to use such to identify user as being the same user seen elsewhere. Over time, who knows more data and more screwed.


Screams for more emphasis in general on dumping javascript and severely limiting viewing methods if you are sane and inclined to care about being profiled and silo'd.


UberCookie



During the last weeks I have been able to fingerprint tor browser users in controlled environments and I think it could be interesting to share all the findings for further discussion and to improve tor browser.


All the provided fingerprinting methods are based on javascript (enabled by default in tor browser as of today). I have created a quick and dirty PoC called UberCookie available as a demo here:


Try ubercookie : http://jcarlosnorte.com/assets/ubercookie/


Source: http://jcarlosnorte.com/security/2016/03/06/advanced-tor-browser-fingerprinting.html
 
Last edited by a moderator:
Top
amuck-landowner