W3C home > Mailing lists > Public > www-tag@w3.org > August 2010

Browser fingerprinting [was Re: Client side storage: Flash storage used to preserve/recreate deleted cookies]

From: David Booth <david@dbooth.org>
Date: Mon, 30 Aug 2010 11:54:41 -0400
To: Noah Mendelsohn <nrm@arcanedomain.com>
Cc: "www-tag@w3.org" <www-tag@w3.org>
Message-ID: <1283183681.20302.7862.camel@dbooth-laptop>
On Mon, 2010-08-30 at 11:11 -0400, David Booth wrote:
> On Sun, 2010-08-29 at 16:35 -0400, Noah Mendelsohn wrote:
> > This article [1] suggests that at least some organizations are using Flash 
> > client side storage to preserve and recreate browser cookies.  Not quite 
> > sure what this is pertinent to TAG work on client-side storage, but it's at 
> > least worth noting.
> > 
> > Noah
> > 
> > [1] 
> > http://arstechnica.com/tech-policy/news/2010/08/ad-firm-sued-for-allegedly-re-creating-deleted-cookies.ars?utm_source=rss&utm_medium=rss&utm_campaign=rss
> Wow, that's a *major* privacy violation and security hole.  I'm
> surprised Adobe has not yet been sued about it, but perhaps the
> attorneys are going after the lower hanging fruit.
> And BTW, the whole idea of users having to use Adobe's web site to set
> the security controls on their own personal computer is completely
> absurd.  That aspect in and of itself is totally broken and would seem
> to me to be grounds for a lawsuit regardless of the other issues.

FYI, there is also interesting paper on the privacy threat of browser
fingerprinting based only on information that a web site can readily
obtain from the browser when the user visits the site:
We observe that the distribution of our finger-
print contains at least 18.1 bits of entropy, meaning that if we pick a
browser at random, at best we expect that only one in 286,777 other
browsers will share its fingerprint. Among browsers that support Flash
or Java, the situation is worse, with the average browser carrying at
least 18.8 bits of identifying information. 94.2% of browsers with Flash
or Java were unique in our sample.

An EFF project attempts to address this problem, and provides a link for
testing your browser:

David Booth, Ph.D.
Cleveland Clinic (contractor)

Opinions expressed herein are those of the author and do not necessarily
reflect those of Cleveland Clinic.
Received on Monday, 30 August 2010 15:55:13 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:56:35 UTC