[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Public WebGL] about the VENDOR, RENDERER, and VERSION strings
----- Original Message -----
> On Wed, Dec 1, 2010 at 00:04, Thatcher Ulrich <email@example.com> wrote:
> > My feeling is that the RENDERER string is extremely useful to WebGL
> > app devs, and of only slight benefit to people who want to
> > fingerprint
> > users (they already have better sources of entropy as highlighted in
> > the EFF paper). So I hope we keep a useful RENDERER.
> A detailed RENDERER with hardware model **and driver version** would
> provide quite a lot of "uniqueness".
> Maybe a way to make RENDERER useful while not giving too much bits
> would be to return the hardware maker and model but strip out driver
That would be a step in the right direction, but these days GPU manufacturers make many different models.
For NVIDIA alone, there are at least 200 device IDs relevant to WebGL (OpenGL 2 hardware)
So I expect the RENDERER string to give roughly 9 bits of information, with an uneven distribution --- some models are less commons and so their owners would be more exposed.
To put this in perspective, according to panopticlick, once you remove the user agent (i'm on FF nightlies where it's verbose, but in Firefox stable >= 4.0 it's going to give very little information), my worst browser characteristic here is my HTTP_ACCEPT headers and they give 9 bits of info.
So just RENDERER alone would create a problem equivalent to the worst current problem, assuming that the UserAgent problem gets solved by giving almost no info, see
> It still provides quite a good information about the hardware
> capabilities and its relative strengths/weaknesses.
> In case slowness is detected high-end applications making use of this
> kind of sniffing can recommend upgrading to latest drivers (in fact
> that's something WebGL-enabled browsers should do whenever possible).
You are currently subscribed to firstname.lastname@example.org.
To unsubscribe, send an email to email@example.com with
the following command in the body of your email: