Chromium privacy issue:browser fingerprinting
Luke Kuhn
lukekuhn at hotmail.com
Tue Jul 31 18:21:57 UTC 2012
Chromium is widely used because it is faster than many other browsers, but it has a problem: the user-agent is hard to change (you have to call it from terminal with the new user-agent, how many end users will do that) , and transmits far too much information. In Panopticlick (http://panopticlick.eff.org/), it always comes up as "unique" when facing a "browser fingerprinting" attack, even when Javascript is disabled.
I have strong suspicions that Google is using fingerprinting, as their new privacy policy explicitly allows "device information" to be collected. Therefore, I have reason to believe Google wrote the code to be as fingerprintable as possible. Google's motives for this would include the following:
1: Get control over Youtube and Gmail users by blocking multiple account formation unless users agree to give them a mobile phone number. In the past, they used things like IP address history and IP address match to zip code to determine who to "challenge" for a phone number. I abandoned Youtube because of this, blocked comments on all my old videos to eliminate the need for admininstrative logins, and walked away from the account.
2: Make it much harder to avoid creating a Google search history that can be sold to advertisers or used to target ads. This database is also vulnerable to subpeona. In the light of the recent "street view" case revelations of illegal data retention, I assume the worst about Google.
I won't use Google or Youtube at all without Tor, NoScript, and Ghostery in Firefox, and when they block Tor I treat them as "Server down."The user-agent is set to make it appear that Firefox is running under Windows. Since I make activist media, I have to be careful about this sort of security issue, same as the reason I use encrypted disks, with their overhead, on video editing boxes along with all my others.
Torbutton, despite it's Tor leakage if used poorly, does weaken browser fingerprinting, often increasing the number of browsers identical to yours by a factor of ten. Blocking Javascript can be the difference between Firefox being unique in Panopticlick and one in 889, but in Chromium helps little-especially if the user-agent is reporting that you are using an Ubuntu Alpha, which I saw at least once!
As a result, I can only recommend Chromium for known safe sites that you can trust not to track you by browser fingerprint. Fine to keep it in repo, but no distro should install it by default. While neither Ubuntu nor US is intended as a "security" distro, flagging software that creates such a severe privacy issue might be a good idea. Of course, the counter is that Firefox has to be actively secured to do much better an Panopticlick, but then again, they only have about 2 million browser "fingerprints" to test against. Surely Google has far more.
> Date: Mon, 30 Jul 2012 17:37:25 +0200
> From: Ralf Mardorf <ralf.mardorf at alice-dsl.net>
> To: len at ovenwerks.net
> Cc: Ubuntu Studio Development & Technical Discussion
> <ubuntu-studio-devel at lists.ubuntu.com>
> Subject: Re: Another idea for comments
> Message-ID: <1343662645.2215.5.camel at precise>
> Content-Type: text/plain; charset="UTF-8"
>
> I didn't follow this thread. Is there a list with the available
> meta-packages and the included files somewhere available. I suspect this
> thread is about Quantal. FWIW I'll stay at Precise, since it's a LTS.
>
> Much used by Linux folks is Chromium, I guess it's not an option for
> Ubuntu Studio. However, most people from Linux and Windows know Firefox.
>
> Regards,
> Ralf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-studio-devel/attachments/20120731/f9f628ef/attachment.html>
More information about the Ubuntu-Studio-devel
mailing list