-
Notifications
You must be signed in to change notification settings - Fork 233
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Plugging TLS 1.3 user tracking across sessions (clear net > VPN) #488
Comments
quoting me
quoting tom ritter in the above issue
and also
tom is a security dev at mozilla, who also does a lot of work for tor browser, and he worked on tor uplift, etc I'll take tom's assessment over almost anyone else, but especially a scaremongering blog post on a site that sells privacy services (no idea of the relationship of the blog author to PIA: not insinuating anything there if he's independent)
This next paragraph is not meant as a reflection on pyllyukko et al and their work, it's just a statement that indicates that it's not been kept up to date (we all have other priorities in life besides maintaining a repo and dedicating free time). Personally, I think the repo should at least add something to the readme and to the user.js itself that it's no longer maintained (but that's not my call) Over a third of the prefs are deprecated even for ESR68, and there has been practically no changes or upkeep for prefs for almost three years - see privacytools/privacytools.io#1240 (which was Aug last year) |
Thanks for the reasoned and enlightening reply. Have you any better suggestion for a maintained list then? ghacks? Edit: Never mind, I just realised who you are lol. Thanks again for the input, I'm working my way through your user.js now to adjust it to my needs. |
Well, it (ghacks user.js) is my repo, so I'm probably biased. That said, I am not aware of anyone else doing what we do. Myself and earthlng do almost of the work, with good input from some regular knowledgeable people, and we haven't missed dissecting any pref diffs since moving to github. |
Thanks again, Thorin. I have my (your) new file in place and everything I need working works (i.e. skipping x-origin-referer so iCloud works). Just one little side question if I may, since we're here. I have disabled allowing pages to choose their own faults as per recommendation (to reduce font fingerprinting). However the default Times and Courier (macOS) are damned ugly. Would it be detrimental to change my default fonts to - say - Roboto Slab and Fira Sans, still disallowing change? That seems like it'd stand out like a sore thumb to fingerprinters but then my installed fontbase is already unique in itself, so?... |
You should stick to the default fonts if you're worried about FPing, since fonts affect all sorts of measurements like default line heights, etc. Instead
At least that way, any font enumeration will only be limited to those few known mac fonts |
Again, thank you! |
@RainmakerRaw oooh, almost forgot .. make sure to include Firefox's bundled emoji font in your whitelist - it's |
I have recently migrated (most of) my user.js to this excellent repo, but noticed I had to bring a few extra tweaks across with me from my old version. I'm especially concerned about the abilities provided by session resumption and weakened key regnogiation in TLS 1.3, which makes it possible to track users persistently across browser sessions - even from clear net to VPN (or ToR) and back again).
This was first brought to my attention a couple of years ago, in a PIA blog post by cryptographer Derek Zimmer. The four recommended Firefox tweaks to plug this tracking vector are:
I notice this repo's user.js enables two of those options, but not the other (bottom) two;
false_start
and0rtt_data
. Is there any way to consider adding them to the default list (even if just the 'strict' file)?The text was updated successfully, but these errors were encountered: