The Privacy BlogThoughts on privacy, security, and other stuff.

Aug/14

3

The Privacy Blog Podcast – Ep. 22

Play

Standard Profile PictureWelcome to episode 22 of the Privacy Blog Podcast for July, 2014.
In this episode I will talk about:

  • A recent revealed compromise of the Tor anonymity system
  • Why Canvas Fingerprinting both is and is not a big deal
  • The coming conflict between US searches and EU privacy
  • How even genealogy information can compromise your identity
  • An update on Chinese censorship
  • Why the security model of the web is hopelessly broken
  • Russia’s continuing crackdown on the Internet
  • and finally how Lightbulbs, among other things, can
  • compromise your network

· · · · ·

Jul/14

31

Canvas Fingerprinting: a reality check

Fingerprint to binary

The Internet is buzzing with discussions about a new kind of tracking called Canvas Fingerprinting. In fact, the technique goes back to a paper by Mowery and Shacham back in 2012. Canvas Fingerprinting gets most of its information from the hardware and software used to render images on a given computer. When asked to render a geometric curve or a modern font to the screen, the system has many decisions to make in the process of turning that into the brightness and color values of the pixels in the image. The technique for creating the Canvas Fingerprint is to give the browser a somewhat complex image to render, capture the actual pixel values produced, which is then hashed down to make the actual fingerprint.

Canvas Fingerprinting is really just another technique for capturing information about a user’s computer as part of a larger system fingerprint. I have been talking about tools like Panopticlick which take all kinds of different information they can see about your computer’s configuration to try to create a unique identifier. Testing my computer right now it says that my browser fingerprint contains at least 22 bits of entropy and is unique among the roughly 4.3 million users they have tested so far. Panopticlick uses information about the browser, operating system, time zone, fonts, plugins, and such to create the identifier.

By comparison, Canvas Fingerprinting contains on average 5.7 bits of entropy meaning that about one in 52 people on the Internet would have the exact same fingerprint. That makes it a lousy identifier on its own.

The real power of this new technique is in combination with other fingerprints like those used in Panopticlick. By combining the two there is about 27.7 bits of entropy which would identify me to one in 218 Million people. Once of the strengths of Canvas Fingerprinting is that it captures very different kinds of information than many other methods. For example, because a windows machine comes with a whole bunch of fonts installed, knowing that a computer is running windows immediately tells you a lot about the fonts. The two bits of information are hight correlated. The Canvas Fingerprint mostly gives information about the graphics subsystems. Knowing the operating system does not tell you very much at all about the specific chipset or firmware in the graphics processor, they are mostly independent.

So, in short Canvas Fingerprinting is not that big a deal, and folks should not get so worked up about it, however system fingerprinting in general IS a big deal. It is now good enough to allow individual users to be tracked even if they are deleting all their cookies and hiding their IP addresses with tools like Anonymizer Universal. System fingerprints are not identifying in the same way an IP address is, but they do allow a person to be recognized when they revisit a website, or a cooperating website.

Current best practice to minimize System Fingerprint based tracking (including Canvas Fingerprinting) is to run the browser inside a clean and un-customized virtual machine, which you then revert back to the clean state at the end of every use. That will give your browser a maximally generic identifier, while also eliminating all other kinds of tracking techniques.

·

EU Flags photo

A New York district judge has ruled that Microsoft must comply with US search warrants for emails stored in European data centers. The argument is that as a US company, Microsoft is subject to the order, and because it has control of its European subsidiary which in turn has control of the data center in Europe, it should therefor comply.

This will put Microsoft, and many other US Internet companies, in a tricky place. The EU data protection laws are being expanded to explicitly bar EU subsidiaries of US companies from sending data outside the EU for law enforcement or intelligence purposes.

This also further undermines confidence in the security and privacy of data held by US Internet companies.

Microsoft ordered to hand over overseas email, throwing EU privacy rights in the fire | ZDNet

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

· ·

TorAppLogo

Tor just announced that they have detected and blocked an attack that may have allowed hidden services and possibly users to be de-anonymized.

It looks like this may be connected to the recently canceled BlackHat talk on Tor vulnerabilities. One hopes so, otherwise the attack may have been more hostile than simple research.

Tor is releasing updated server and client code to patch the vulnerability used in this attack. This shows once again one of the key architectural weaknesses in Tor, the distributed volunteer infrastructure. On the one hand, it means that you are not putting all of your trust in one entity. On the other hand, you really don’t know who you are trusting, and anyone could be running the nodes you are using. Many groups hostile to your interests would have good reason to run Tor nodes and to try to break your anonymity.

The announcement from Tor is linked below.

Tor security advisory: “relay early” traffic confirmation attack | The Tor Blog

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

· ·

Jul/14

29

Russia puts a bounty on Tor’s head

TorAppLogo

The Russian Ministry of Internal Affairs recently announced a contest to create a method to identify Tor users, with a prize of about $114,000.

Clearly the government is worried about the ability of Tor to allow people to bypass the increasingly draconian Internet laws that have been put in place. This puts a big target on Tor, but people have been working on breaking Tor for years. This year a talk at Black Hat on cracking Tor anonymity was pulled without explanation after it was announced and scheduled.

Being free and well established, Tor has the largest user base of any privacy service, so it is the obvious first target. Its distributed design also introduces paths for attack not available in other designs like Anonymizer Universal.

It will be interesting to see if this move drives Tor users to other services, and whether that in turn leads to expanded efforts to crack those tools.

Fancy $110,000? Easy! Just be Russian and find a way of cracking Tor | HOTforSecurity

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

· ·

<< Latest posts

Older posts >>