[tbb-bugs] #12715 [Tor Browser]: Treat fingerprinting fixes like other security fixes: trigger TBB release
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Jul 28 12:35:32 UTC 2014
#12715: Treat fingerprinting fixes like other security fixes: trigger TBB release
-----------------------------+--------------------------------
Reporter: cypherpunks | Owner: tbb-team
Type: task | Status: new
Priority: normal | Milestone:
Component: Tor Browser | Version:
Resolution: | Keywords: tbb-fingerprinting
Actual Points: | Parent ID:
Points: |
-----------------------------+--------------------------------
Comment (by cypherpunks):
Fair enough, but it can be labor intensive find out how much entropy is
leaked. For example, does #9881 give you
- "Only" the screen size?
- Clues about the OS / desktop environment / window manager (not all allow
oversized windows)?
- The OS / desktop environment toolbar size?
Evaluating a bug's severity would involve writing a custom-tailored,
robust to the point of almost being weaponized, fingerprinter. Assuming
that TBB development had the manpower to do that, then after even more
days spent on that we find out that it really is serious. Oops...
I feel like the question "Does this fingerprinting bug ''really'' have
high entropy?" is analogous "Does this free-after-use or whatever
''really'' give someone remote code execution?" in that it may usually be
more realistic to just assume "yes" and start the release build.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12715#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list