Prenez-vous au sérieux le risque de pistage par Favicon même si l'on utilise un VPN?

Je n’ai pas d’opinion aboutie.

En résumé, d’après certains chercheurs, la gestion par votre navigateur de l’icone Favicon des sites Web pourrait servir à pister un navigateur, VPN ou pas.

Ici on parle de choses concrètes, avec PoC :

Une source est : Un PDF "Tales of FAVICONS and Caches: Persistent Tracking in Modern Browsers
Konstantinos Solomos, John Kristoff, Chris Kanich, Jason Polakis University of Illinois at Chicago
{ksolom6, jkrist3, ckanich, polakis}@uic.edu

Le fichier n’est plus en ligne mais dispo dans Wayback WebArchive :

Leur conclusion n’est pas complètement affirmative, mais parle de risques à gérer, d’actions en cours :

IX. CONCLUSION
As browsers increasingly deploy more effective anti-
tracking defenses and anti-fingerprinting mechanisms gain
more traction, tracking practices will continue to evolve and
leverage alternate browser features. This necessitates a proac-
tive exploration of the privacy risks introduced by emerging
or overlooked browser features so that new tracking vectors
are identified before being used in the wild. In this paper we
highlighted such a scenario by demonstrating how favicons,
a simple yet ubiquitous web resource, can be misused as a
powerful tracking vector due to the unique and idiosyncratic
favicon-caching behavior found in all major browsers. In fact,
cached favicons enable long-term, persistent user tracking
that bypasses the isolation defenses of the incognito mode
and is not affected by existing anti-tracking defenses. Fur-
thermore, we analyzed a real-world dataset and illustrated
how immutable browser fingerprints are ideal for optimizing
low-bandwidth tracking mechanisms. When leveraging such
fingerprints our attack can reconstruct a unique 32-bit tracking
identifier in 2 seconds, which is significantly less than the
average 10-second overhead introduced by trackers on popular
websites [36]. To address the threat posed by our technique,
we disclosed our findings to browser vendors and remediation
efforts are currently underway, while we also outlined a series
of browser changes that can mitigate our attack

Certains prétendent que Firefox n’est pas concerné. Certains prennent le risque au sérieux et désactivent les favicons. Et vous?

https://www.schneier.com/blog/archives/2021/02/browser-tracking-using-favicons.html