| ▲ | bawolff 7 hours ago | |||||||
From the sounds of this it sounds like it doesn't persist past browser restart? I think that would significantly reduce the usefulness to attackers. | ||||||||
| ▲ | piccirello 6 hours ago | parent | next [-] | |||||||
This excerpt from the article describes the risk well. > In Firefox Private Browsing mode, the identifier can also persist after all private windows are closed, as long as the Firefox process remains running. In Tor Browser, the stable identifier persists even through the "New Identity" feature, which is designed to be a full reset that clears cookies and browser history and uses new Tor circuits. | ||||||||
| ||||||||
| ▲ | warkdarrior 6 hours ago | parent | prev | next [-] | |||||||
This is where you use id bridging. 1. Website fingerprints the browser, stores a cookie with an ID and a fingerprint. 2. During the next session, it fingerprints again and compares with the cookie. If fingerprint changed, notify server about old and new fingerprint. | ||||||||
| ▲ | mmooss 7 hours ago | parent | prev | next [-] | |||||||
Many users leave their browsers open for months. | ||||||||
| ||||||||
| ▲ | shevy-java 7 hours ago | parent | prev [-] | |||||||
Would it though? I guess state agencies already know all nodes or may know all nodes. When you have a ton of meta-information all cross-linked, they can probably identify people quite accurately; may not even need 100% accuracy at all times and could do with less. I was thinking about that when they used information from any surrounding area or even sniffing through walls (I think? I don't quite recall the article but wasn't there an article like that in the last 3-5 years? The idea is to amass as much information as possible, even if it may not primarily have to do with solely the target user alone; e. g. I would call it "identify via proxy information"). | ||||||||
| ||||||||