news.volyx.in

We found a stable Firefox identifier linking all your private Tor identities (fingerprint.com)

930 points by danpinto · 83 days ago · 298 comments on HN

Article summary

A vulnerability was discovered in Firefox-based browsers, including Tor Browser, that allows websites to derive a unique identifier from the order of entries returned by IndexedDB, even in private browsing mode. This identifier can be used to track users across different websites and sessions. The issue has been fixed in Firefox 150 and ESR 140.10.0, and Tor Browser has also released an update. The vulnerability highlights the importance of considering privacy implications in browser implementation details.

Main themes

  • Browser fingerprinting
  • Privacy vulnerabilities
  • Tor Browser security
  • Responsible disclosure
  • Fingerprinting techniques

What commenters say

  • The company that discovered the vulnerability should not be criticized for disclosing it, despite their business being in fingerprinting, as it is a positive action that benefits users.
  • The distinction between exploiting vulnerabilities and fingerprinting is not clear-cut, and some argue that fingerprinting is a form of exploiting unintended behavior.
  • The presence of countermeasures against fingerprinting, such as the 'Do Not Track' header, indicates that users and software developers do not intend for fingerprinting to occur.
  • Fingerprinting can be seen as a form of exploiting a vulnerability, as it often involves working around technical measures intended to stop it.
  • The company's decision to disclose the vulnerability may be seen as a way to whitewash their image and improve their public relations, rather than a genuine attempt to protect users' privacy.
  • The fact that the company discloses vulnerabilities does not necessarily mean they do not exploit them for their own gain, and their business model is still based on fingerprinting.
  • The vulnerability highlights the importance of considering the ethical implications of fingerprinting and the need for transparency in the industry.
  • The line between legitimate use of available information and exploiting a vulnerability is not always clear, and different people may have different opinions on what constitutes an exploit.