1. 37

  2. 7

    “From the negative perspective, people can use our cross-browser tracking to violate users' privacy by providing customized ads,” Yinzhi Cao, the lead researcher who is an assistant professor in the Computer Science and Engineering Department at Lehigh University, told Ars. “Our work makes the scenario even worse, because after the user switches browsers, the ads company can still recognize the user. […]”

    The value of work like this is evident: certainly there are advertisers looking for privacy vulnerabilities like this one, and if they find a hole they’ll keep it secret and exploit it. It’s good to have people finding these holes on behalf of the advertised-to, and publishing them so they can be fixed.

    A question: is it usual to publish immediately when one discovers a privacy vulnerability? Would it be good to treat privacy vulnerabilities like (other) security vulnerabilities, and give browser vendors a head start to fix the vulnerability before it is published?

    1. 9

      I’m not sure what could be done to fix this vulnerability. Scanning for WebGL capabilities isn’t exactly a bug, nor is checking the system font list.

      As usual, the best defense is turning off javascript.

      1. 3

        If you did you wouldn’t even be able to post that.

        1. 6

          True, I use a selective whitelist. You could also disable just WebGL.

          1. 1

            Selectively enabling WebGL for sorted that request it would be nice as a privacy option. Sort of how browsers treat Java and Flash.

            1. 1

              Hmm, I did find CanvasBlocker for Firefox:

              Users can choose to block the <canvas> API entirely on some or all websites

      2. 7

        If it was a really specific bug with a clear fix, I’d treat it like a security vulnerability and give the vendor a chance to fix it first. But this is more like a design flaw than a specific exploit, and I think it’s unlikely those can be fixed without substantial public discussion, because you need to build consensus around a design change and argue about the tradeoffs. For example, that’s how the privacy leak through the CSS :visited selector was eventually fixed.

      3. 4

        The new technique relies on code that instructs browsers to perform a variety of tasks. Those tasks, in turn, draw on operating-system and hardware resources—including graphics cards, multiple CPU cores, audio cards, and installed fonts—that are slightly different for each computer. For instance, the cross-browser fingerprinting carries out 20 carefully selected tasks that use the WebGL standard for rendering 3D graphics in browsers. In all, 36 new features work independent of a specific browser.

        1. 1

          Article says Tor browser is “immune”. Note that if you want privacy from cross browser tracking, you might already want to use the Tor browser. Why else would you use a second browser (instead of private browsing aka incognito mode)

          1. 1

            Since this requires enabled JavaScript, NoScript is going to be even more useful than before.