We assume default configurations for the operating system and browser.
Well I have no idea what the ‘default configuration’ of … Linux … is…
But uh, theoretically this is something you could harden against by going balls to the wall with security preferences and options in firefox, waterfox, librewolf, ironfox, something like that… maybe?
Also, its maybe possible that using a seperate container for each seperate tab could also stymie this.
canvasblocker ublockorigin privacybadger
about:config ->
-> javascript.options.shared_memory = FALSE
-> privacy.firstparty.isolate = TRUE
-> privacy.partition.network_state = TRUE
-> privacy.partition.network_state.oscp_cache= TRUE
-> privacy.partition.network_state.oscp_cache.pbmode = TRUE
-> privacy.partition.serviceWorkers = TRUE
-> privacy.reduceTimerPrecision = TRUE
-> privacy.resistFingerprinting.reduceTimerPrecision.jitter = TRUE
-> privacy.resistFingerprinting.reduceTimerPrecision.microseconds = 1000 … or… more?
… might do something to stymie this?
From the paper:
Well I have no idea what the ‘default configuration’ of … Linux … is…
But uh, theoretically this is something you could harden against by going balls to the wall with security preferences and options in firefox, waterfox, librewolf, ironfox, something like that… maybe?
Also, its maybe possible that using a seperate container for each seperate tab could also stymie this.
Seems like a feature vendors need reconsider unimplementing/threat remodeling.
Yeah I apparently missed all this but yeah, there seems to have been a significant hubub of basically… wait why do we even need this at all?
To satisfy lazy corporate web devs who can’t be bothered to use existing APIs properly?
That’s basically my take after after a light review of reading several threads in various places around this, over the last few years.
Interesting ideas in here, particularly the timer precision
Waterfox seems to already have a default of 1000 microseconds, if… I think, you go with ‘strict’ privacy settings option?
So on the one hand, a very brief perusal of the paper shows that the method needs like, sub 200 timings to work well.
On the other hand… I have no idea if the exploit method effectively circumvents the way this timing speed limit actually works.
I basically just sped read everything lol.
So, you’re saying you only needed one timer?
Mullvad browser maybe better for this than librewolf?
Potentially?
Maybe?
I would not call myself an expert here, I don’t… dev webbrowsers, more like I’m a privacy minded power user.
I’m literally just spitballing, I can guarantee nothing.
Maybe if I did a full crash course over like a month or two, I could have what I would call a ‘semi-informed’ opinion.
Because mullvad based on torbrowser which known very fingerprint resistant.