VLC Fingerprinting Research

HulaHoop · February 26, 2018, 4:22pm

Both VLC and Tor Browser use the mediaframeworks (gstreamer, ffmpeg) on Linux. In case of Tor Bowser the devs are working to reduce attack surface by limiting what codecs the browser accesses.

What codecs and their versions are vectors for fingerprinting individual systems although in the case of Whonix this isn’t much of a threat considering all users run the same baseline.

https://trac.torproject.org/projects/tor/ticket/13543
https://trac.torproject.org/projects/tor/ticket/22933

My question to Tor mailing list

https://lists.torproject.org/pipermail/tor-talk/2018-February/044024.html

HulaHoop · February 26, 2018, 4:48pm

Seems fingerprinting media stats is done with JS in Firefox (fix is WIP). Since VLC doesn’t execute JS this shouldn’t be a problem.

https://bugzilla.mozilla.org/show_bug.cgi?id=1369309

As far as cookies go, VLC has published their privacy statement which applies to their mobile versions but can be extrapolated for the desktop too IMO.

VideoLAN does not collect any statistics, personal information, or analytics from our users, other than built in mechanisms that are present for all the mobile or embedded applications in their respective main distribution channels.

The mobile or embedded versions of ‘VLC’ do allow for videos to be played via various network transports. Cookies are not stored at any point. Authentication credentials can be stored optionally on the user’s local device upon the user’s explicit request.

https://www.videolan.org/vlc/privacy.html

HulaHoop · February 28, 2018, 2:59pm

@Patrick Please tell me where to document.

Patrick · February 28, 2018, 5:12pm

/Dev/VLC or /Dev/Media?

HulaHoop · February 28, 2018, 5:34pm

So its not really relevant to users? As long as we record the actual reasoning someplace.

Patrick · February 28, 2018, 6:21pm

/Dev is for reasoning, researched non-issues, notes, details.

User centric advice on what to do could be added here:

https://www.whonix.org/wiki/Software#Media_Player

Or a new standalone page https://www.whonix.org/wiki/Media_Player?

Patrick · March 8, 2018, 4:18pm

Users need to know only short actionable information.

HulaHoop · March 10, 2018, 11:54pm

Good reasoning. I guess this is relevant to users since they need to know how they are affected when using it.

Patrick · March 11, 2018, 1:34pm

Well, I imagine documentation like this “if you want to do A, B, or C then use X, Y and/or Z”.

Playing downloaded videos? Use VLC.
View/listen streams? Use VLC.
Note on being careful storing credentials since it’s a fingerprinting vector?

What do you think?

HulaHoop · March 11, 2018, 11:43pm

I think this is a good general rule of thumb for all programs. Not just VLC.