VLC Fingerprinting Research

Both VLC and Tor Browser use the mediaframeworks (gstreamer, ffmpeg) on Linux. In case of Tor Bowser the devs are working to reduce attack surface by limiting what codecs the browser accesses.

What codecs and their versions are vectors for fingerprinting individual systems although in the case of Whonix this isn’t much of a threat considering all users run the same baseline.

My question to Tor mailing list

https://lists.torproject.org/pipermail/tor-talk/2018-February/044024.html

2 Likes

Seems fingerprinting media stats is done with JS in Firefox (fix is WIP). Since VLC doesn’t execute JS this shouldn’t be a problem.


As far as cookies go, VLC has published their privacy statement which applies to their mobile versions but can be extrapolated for the desktop too IMO.

VideoLAN does not collect any statistics, personal information, or analytics from our users, other than built in mechanisms that are present for all the mobile or embedded applications in their respective main distribution channels.

The mobile or embedded versions of ‘VLC’ do allow for videos to be played via various network transports. Cookies are not stored at any point. Authentication credentials can be stored optionally on the user’s local device upon the user’s explicit request.

2 Likes

@Patrick Please tell me where to document.

/Dev/VLC or /Dev/Media?

So its not really relevant to users? As long as we record the actual reasoning someplace.

/Dev is for reasoning, researched non-issues, notes, details.

User centric advice on what to do could be added here:

Software - Kicksecure

Or a new standalone page https://www.whonix.org/wiki/Media_Player?

1 Like

Users need to know only short actionable information.

1 Like

Good reasoning. I guess this is relevant to users since they need to know how they are affected when using it.

1 Like

Well, I imagine documentation like this “if you want to do A, B, or C then use X, Y and/or Z”.

Playing downloaded videos? Use VLC.
View/listen streams? Use VLC.
Note on being careful storing credentials since it’s a fingerprinting vector?

What do you think?

1 Like

I think this is a good general rule of thumb for all programs. Not just VLC.

1 Like