
New Tricks for Browser Fingerprinting [pdf] - renlinx
https://zyan.scripts.mit.edu/presentations/toorcon2015.pdf
======
bigethan
Sorry to TL;DR but 50 page PDFs can be opaque for discussion.

The presentation takes a while to get around to it, but it's a way to see your
browser history using cert pinning/redirection. Specifically (ab)using
features in the browser that even the paranoid don't disable. And then using
that information to fingerprint you.

Demo:
[http://zyan.scripts.mit.edu/sniffly](http://zyan.scripts.mit.edu/sniffly)
Code:
[https://github.com/diracdeltas/sniffly](https://github.com/diracdeltas/sniffly)

It's a good find, even if it's not perfect the way the CSS link visited
computed style checks was.

~~~
kardos
The HSTS timing trickery is basically just an information leak bug that needs
to be widely fixed; TorBrowser has fixed it [1].

[1]
[https://trac.torproject.org/projects/tor/ticket/1517](https://trac.torproject.org/projects/tor/ticket/1517)

------
PhantomGremlin
Submitted 8 days ago, no comments. Nobody cares?

Maybe people have been so beaten down that they've given up. Track us all you
want, nothing we can do about it!

The country's smartest and brightest are graduating from Stanford and MIT and
going to work for companies whose entire business model depends on vacuuming
up as much of the world's personal information as they can get away with.
Depressing.

~~~
benevol
Exactly.

And you're only talking about the small percentage of the geeks. The non-geeks
in our society have absolutely _NO clue at all_ that such technology exists,
how it works and how effectively it destroys privacy. Basically, they still
live in dream land.

Technology moves faster than anything, not just the law.

------
GavinB
Are there any good services or packages for doing this, especially for RoR? I
don't need it for advertising, but for banning abusive users who are able to
evade the usual means of detection.

~~~
merpnderp
I'd advise not making it obvious they've been banned. Let them submit like
normal, and maybe show it back to them like normal, but hide it from everyone
else. They might just assume everyone is ignoring them.

~~~
GavinB
We've got hellbanning. It helps but they figure it out pretty quickly,
especially in chat. I run a kids site, so we have to be pretty draconian about
keeping out bad actors.

------
est
tl;dr HSTC+CSP can be faster than real network requests, use this to detect a
client.

