On Tue, May 18, 2010 at 9:16 AM, David Lum <[email protected]> wrote: > http://news.cnet.com/8301-1009_3-20005185-83.html?tag=mncol;title
The actual paper is at: https://panopticlick.eff.org/browser-uniqueness.pdf The math is above my head. The rest seems somewhat plausible. Basically looking at a variety of attributes detectable via JavaScript, ActiveX controls, Flash, Java, etc. Things like installed components, their version numbers, available fonts, etc. Combined with existing techniques (like IP address tracking) reportedly yields very good results. (But I suspect just IP address tracking yields very good results.) My take: I wouldn't expect this to be a current risk. Most browsers come pre-configured to allow cookies, and most users never change that, so tracking can be easily accomplished via cookies for most users. Most sites don't have reason to bother with more than that. (Especially since it's usually easier to provide an incentive to allow cookies for the site.) Beyond cookies, unless your IP address changes constantly, tracking you is trivial. So I don't see a ROI for implementing this kind of tracking. If someone is sufficiently motivated to do all this, they're likely motivated to do other things. Like tap your phonelines or bug your house. This assessment may change in the future if privacy-guarding features enjoy increased adoption. They do mention that tools like NoScript, used to implement deny-by-default for all client-side scripting, make things considerably more challenging. They do mention that using popular sites would work. (XSS left as an exercise for the reader, apparently.) But again, it's likely much easier to just provide an incentive to allow scripting for a site. You need JavaScript to see the funny picture of the cat/college student doing something stupid/boobies, or whatever. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
