Hello. Mouse Fingerprinting, Keyboard Fingerprinting, Device Fingerprinting (Active collection modes, using hidden channel in the legit TCP/IP trafic going through TOR) are specialities that have NO SOLUTION with "software only » approaches. These problems cannot be solved by software only. The can be fixed definitely through 100% Free Integrated Circuits based computers that solve these issue through hardware changes.
To me, any attempt to « solve » these issues by software can only be a fraud. I’m open to debate. Le 17 mars 2016 à 18:31, ban...@openmailbox.org a écrit : > == Attack Description == > > Keystroke fingerprinting works by measuring how long keys are pressed and the > time between presses. Its very high accuracy poses a serious threat to > anonymous users.[1] > > This tracking technology has been deployed by major advertisers (Google, > Facebook), banks and massive online courses. Its also happening at a massive > scale because just using a JS application (or SSH in interactive mode) in > presence of a network adversary that records all traffic allows them to > construct biometric models for virtually everyone (think Google suggestions) > even if the website does not record these biometric stats itself.[2] They > have this data from everyone's clearnet browsing and by comparing this to > data exiting the Tor network they will unmask users. > > == Current Measures and Threat Model == > > While the Tor Browser team is aware of the problem and working on a solution, > current measures [6] are not enough. [4][5] > > Security distros are designed to protect the user even if an end user > application is compromised and provide desfense in depth. > > The goal is to protect users even in the event of an attacker taking over an > application running ina VM/Container. > > This is valid for systems running in VMs or on bare metal. > > > == Existing Work on Countermeasures == > > As a countermeasure security researcher Paul Moore created a prototype Chrome > plugin known as KeyboardPrivacy. It works by caching keystrokes and > introducing a random delay before passing them on to a webpage.[3] > Unfortunately there is no source code available for the add-on and the > planned Firefox version has not surfaced so far. There are hints that the > author wants to create a closed hardware soltuion that implements this which > does not help our cause. > > > == Proposal for a System-wide Solution == > > A very much needed project would be to write a program that mimics the > functionality of the this add-on but on the display server / OS level. > Ideally the solution would be compatible with Wayland for the upcoming > transition in the near future. > > > > > [1] > http://arstechnica.com/security/2015/07/how-the-way-you-type-can-shatter-anonymity-even-on-tor/ > > [2] http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=7358795 > > [3] https://archive.is/vCvWb > > [4] > https://www.lightbluetouchpaper.org/2015/07/30/double-bill-password-hashing-competition-keyboardprivacy/#comment-1288166 > > [5] https://trac.torproject.org/projects/tor/ticket/16110 > > [6] https://trac.torproject.org/projects/tor/ticket/1517 > > > > *** > > This feature request has been mirrored on each project's bugtrackers > respectively: > > https://github.com/subgraph/subgraph-os-issues/issues/103 > https://labs.riseup.net/code/issues/11257 > https://github.com/QubesOS/qubes-issues/issues/1850 > > _______________________________________________ > Desktops mailing list > deskt...@secure-os.org > https://secure-os.org/cgi-bin/mailman/listinfo/desktops
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
