Re: [Tails-dev] [Tails-news] Tails 3.13.2 is out

Delete this message

Reply to this message
Autore: sajolida
Data:  
To: The Tails public development discussion list, Georg Koppen
Oggetto: Re: [Tails-dev] [Tails-news] Tails 3.13.2 is out
anonym:
> Georg Koppen:
>> Tails - News:
>>> This release is an emergency release to fix a critical security vulnerability
>>> in _Tor Browser_.
>>>
>>> It also fixes [other security
>>> vulnerabilities](https://tails.boum.org/security/Numerous_security_holes_in_3.13.1/).
>>> You should upgrade as soon as possible.
>>>
>>> # Changes
>>>
>>> ## Fixed _NoScript_ activation in _Tor Browser_
>>>
>>> Starting from Friday May 3, a problem in _Firefox_ and _Tor Browser_ disabled
>>> all add-ons. This release reactivates all add-ons in _Tor Browser_, especially
>>> _NoScript_ which is used to:
>>>
>>> * Most importantly, protect against a very strong fingerprinting technique called _HTML5 canvas fingerprinting_ which can break your anonymity.
>>
>> Hm. How does it do that? In particular, what does it do in addition to
>> the defense we baked into Tor Browser and which is not NoScript
>> dependent? (see the: "Specific Fingerprinting Defenses in the Tor
>> Browser", subsection 2. HTML5 Canvas Extraction at
>> https://2019.www.torproject.org/projects/torbrowser/design/)
>
> There's been a misunderstanding. We were supposed to talk about fingerprinting enabled by the loss of NoScript's WebGL click-to-play, not HTML5 canvas fingerprinting.


Hi Georg!

So good to see that you keep an eye on our release notes :)

I'm acting here as a mere translator of the technical knowledge that
intrigeri transmitted to me in
https://redmine.tails.boum.org/code/issues/16694#note-14 and that I
could read on https://2019.www.torproject.org/projects/torbrowser/design/.

I understood that HTML5 canvas fingerprint can use a combination of
"WebGL, font, and named color" and that "WebGL Canvases have
click-to-play placeholders (provided by NoScript)".

So, a website could benefit from NoScript being deactivated to use WebGL
to do HTML5 canvas fingerprinting; even though Tor Browser on its own
could block other canvas fingerprinting attempts.

And from a user's point of view, NoScript protects them from (some types
of) canvas fingerprinting.

Isn't it?

--
sajolida