anonym: > Georg Koppen: >> Tails - News: >>> This release is an emergency release to fix a critical security >>> vulnerability >>> in _Tor Browser_. >>> >>> It also fixes [other security >>> vulnerabilities](https://tails.boum.org/security/Numerous_security_holes_in_3.13.1/). >>> You should upgrade as soon as possible. >>> >>> # Changes >>> >>> ## Fixed _NoScript_ activation in _Tor Browser_ >>> >>> Starting from Friday May 3, a problem in _Firefox_ and _Tor Browser_ >>> disabled >>> all add-ons. This release reactivates all add-ons in _Tor Browser_, >>> especially >>> _NoScript_ which is used to: >>> >>> * Most importantly, protect against a very strong fingerprinting >>> technique called _HTML5 canvas fingerprinting_ which can break your >>> anonymity. >> >> Hm. How does it do that? In particular, what does it do in addition to >> the defense we baked into Tor Browser and which is not NoScript >> dependent? (see the: "Specific Fingerprinting Defenses in the Tor >> Browser", subsection 2. HTML5 Canvas Extraction at >> https://2019.www.torproject.org/projects/torbrowser/design/) > > There's been a misunderstanding. We were supposed to talk about > fingerprinting enabled by the loss of NoScript's WebGL click-to-play, not > HTML5 canvas fingerprinting.
Hi Georg! So good to see that you keep an eye on our release notes :) I'm acting here as a mere translator of the technical knowledge that intrigeri transmitted to me in https://redmine.tails.boum.org/code/issues/16694#note-14 and that I could read on https://2019.www.torproject.org/projects/torbrowser/design/. I understood that HTML5 canvas fingerprint can use a combination of "WebGL, font, and named color" and that "WebGL Canvases have click-to-play placeholders (provided by NoScript)". So, a website could benefit from NoScript being deactivated to use WebGL to do HTML5 canvas fingerprinting; even though Tor Browser on its own could block other canvas fingerprinting attempts. And from a user's point of view, NoScript protects them from (some types of) canvas fingerprinting. Isn't it? -- sajolida _______________________________________________ Tails-dev mailing list [email protected] https://www.autistici.org/mailman/listinfo/tails-dev To unsubscribe from this list, send an empty email to [email protected].
