On 5/19/2012 5:00 PM, Mike Perry wrote:
If you prevent the associated identifier transmission and
fingerprinting issues, "web beacons" do not link your activity on one
url to another. If we prevent identifier transmission and
fingerpritning, web beacons will see both visits, but they do not know
it is the same user on both visits. The reason we don't care that they
can still see both visits is because the urls you visit can and do
simply sell their logs to third parties already. If a site tries to
deploy web beacons, you should assume they are also selling your data
to whoever is buying, regardless of what the browser actually does.
Presumably, as they are loaded w/ pages, even w/ disk cache turned
off, they can still be stored in memory cache& still track users,
unless memory cache is disabled. True?
Not exactly. In Tor Browser, cache is isolated by url bar domain,
meaning that the cached copy of a web beacon that was loaded under one
url bar is actually *not* used when the same web beacon is loaded under
a different url bar.
Though in interest of full disclosure, you'll notice that one of the
"tbb-linkability" tagged bugs is an issue with this cache isolation
specifically for images:
https://trac.torproject.org/projects/tor/ticket/5742
Tracking scripts are correctly isolated in the cache, however (which is
more important, as many tracking scripts *do* embed unique identifiers
to get cached and used when the user clears cookies).
I used the term "web beacon" too loosely, rather than as specifically
1x1 GIFs. Similar to how "trackers" is often used to describe a single
beast, regardless of their function.
There are of course, several types of technology that are often loosely
referred to under the general "tracker" term. I didn't do a good job,
but in my original question a month or so ago & again today, I meant to
include java script trackers as well. Many of the "true" trackers - w/
cross domain tracking ability - are java script. Google Analytics is
only one of many.
I think that those voicing a concern w/ these & TBB, were concerned w/
the trackers most difficult to stop. Are you saying that * tracking
scripts * are ALSO isolated per URL domain in the cache (see quote
below)? So that cross domain tracking isn't possible in TBB? If that's
not correct, then there's still a big problem for now.
Tracking scripts are * correctly * isolated in the cache, however (which is
more important, as many tracking scripts*do* embed unique identifiers
to get cached and used when the user clears cookies).
When you speak of sandboxing:
Flash has tons of fingerprinting and proxybypass issues hidden in its binary
blob. We
really need a full sandboxing technology to make it safe to uniformly enable.
If running an app in something like Sandboxie, (maybe you mean a diff
scenario), it is protecting the OS / machine from the APP. It doesn't
stop a browser (or, I assume, trackers; Flash) from connecting to the
internet. Maybe it would have value once the browser is closed, Flash
proxy bypass has already occurred. Unless you're talking about
something else.
_______________________________________________
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk