Exposing TB as Tor Browser
Background: Firefox added the Canvas Permission Prompt, people turned it on. They discovered that blog.mozilla.com was triggering it, investigated. Tracked it down to Wordpress, by default, using canvas to figure out if the user has emoji support. Fairly innocuous use, not for tracking. Wordpress would like to detect Tor Browser so it doesn't perform the check and therefore doesn't pop the prompt. This would significantly reduce the number of prompts Tor Browser users are seeing. The (old) ticket is here: https://trac.torproject.org/projects/tor/ticket/18195 Other links: Original WP ticket: https://core.trac.wordpress.org/ticket/32138 Mozilla Ticket: https://bugzilla.mozilla.org/show_bug.cgi?id=1413182 New WP Ticket: https://core.trac.wordpress.org/ticket/42428 Is this something TB would take as a patch? -tom PS: Unless FF with privacy.resistFingerprinting identified itself as Tor Browser, this wouldn't help FF, just TB. But maybe FF _should_ identify itself as TB if TB starts identifying itself as TB?
On Fri, Nov 03, 2017 at 02:05:29PM -0500, Tom Ritter wrote:
Wordpress would like to detect Tor Browser so it doesn't perform the check and therefore doesn't pop the prompt. This would significantly reduce the number of prompts Tor Browser users are seeing. The (old) ticket is here: https://trac.torproject.org/projects/tor/ticket/18195 [...] PS: Unless FF with privacy.resistFingerprinting identified itself as Tor Browser, this wouldn't help FF, just TB. But maybe FF _should_ identify itself as TB if TB starts identifying itself as TB?
Shouldn't Wordpress be wanting to detect whether the browser has a canvas fingerprinting warning feature, not whether the browser is Tor Browser? That difference will become more important as we continue migrating features like that one into other mainstream browsers. --Roger
On 3 November 2017 at 14:12, Roger Dingledine <arma@mit.edu> wrote:
On Fri, Nov 03, 2017 at 02:05:29PM -0500, Tom Ritter wrote:
Wordpress would like to detect Tor Browser so it doesn't perform the check and therefore doesn't pop the prompt. This would significantly reduce the number of prompts Tor Browser users are seeing. The (old) ticket is here: https://trac.torproject.org/projects/tor/ticket/18195 [...] PS: Unless FF with privacy.resistFingerprinting identified itself as Tor Browser, this wouldn't help FF, just TB. But maybe FF _should_ identify itself as TB if TB starts identifying itself as TB?
Shouldn't Wordpress be wanting to detect whether the browser has a canvas fingerprinting warning feature, not whether the browser is Tor Browser?
That difference will become more important as we continue migrating features like that one into other mainstream browsers.
Yes. There are two problems here actually: 1) Some browsers throw a permission and others don't. How does the webmaster know whether the prompt will be thrown? 2) The Canvas image extraction API is synchronous. What we do today is return all-white so script execution continues, and if you accept the permission any subsequent calls will succeed. This often breaks legitimate uses of canvas because they aren't set up to handle this possibility. (Fortunately, there are so few legitimate uses of this canvas feature it's not a big deal!) To solve #2, the canvas image extraction API should be turned into an asynchronous promise-based API, which can succeed or fail. And more importantly will give the user the opportunity to accept or reject the permission before the call completes (as opposed to today where we return blank data to the synchronous API call so script execution continues). The problem is that the entire web has to migrate to the Promise-based API. To solve #1 we may need to make something up. I'm not sure if there is any existing mechanism or API that is defined to provide information about capabilities. Normally it's just done through feature detection I think. If we did make something up, Wordpress could use that though, and so could Firefox. It won't be as easy as the User Agent approach, because it will require more bikeshedding, but I suppose it is the 'right way' to do it. I think the right thing to do is figure out how to make Canvas not fingerprintable once and for all. Until that's figured out though, I think solving #1 is okay. I guess I worry that we'd spend forever bikeshedding on something that we hope to throw away once Canvas Fingerprinting is 'solved'. But maybe we wouldn't through it away. Maybe there's other things we'd expose through it, like "AntiFingerprinting Mode is On" so the website knows not to rely on a bunch of data it knows will be faked. -tom
Tom Ritter:
On 3 November 2017 at 14:12, Roger Dingledine <arma@mit.edu> wrote:
On Fri, Nov 03, 2017 at 02:05:29PM -0500, Tom Ritter wrote:
Wordpress would like to detect Tor Browser so it doesn't perform the check and therefore doesn't pop the prompt. This would significantly reduce the number of prompts Tor Browser users are seeing. The (old) ticket is here: https://trac.torproject.org/projects/tor/ticket/18195 [...] PS: Unless FF with privacy.resistFingerprinting identified itself as Tor Browser, this wouldn't help FF, just TB. But maybe FF _should_ identify itself as TB if TB starts identifying itself as TB?
Shouldn't Wordpress be wanting to detect whether the browser has a canvas fingerprinting warning feature, not whether the browser is Tor Browser?
That difference will become more important as we continue migrating features like that one into other mainstream browsers.
I agree with Roger here. If we can avoid it (and I think we can) we should not introduce yet another way of differentiating users of different browsers.
Yes.
There are two problems here actually:
1) Some browsers throw a permission and others don't. How does the webmaster know whether the prompt will be thrown? 2) The Canvas image extraction API is synchronous. What we do today is return all-white so script execution continues, and if you accept the permission any subsequent calls will succeed. This often breaks legitimate uses of canvas because they aren't set up to handle this possibility. (Fortunately, there are so few legitimate uses of this canvas feature it's not a big deal!)
To solve #2, the canvas image extraction API should be turned into an asynchronous promise-based API, which can succeed or fail. And more importantly will give the user the opportunity to accept or reject the permission before the call completes (as opposed to today where we return blank data to the synchronous API call so script execution continues). The problem is that the entire web has to migrate to the Promise-based API.
To solve #1 we may need to make something up. I'm not sure if there is any existing mechanism or API that is defined to provide information about capabilities. Normally it's just done through feature detection I think. If we did make something up, Wordpress could use that though, and so could Firefox. It won't be as easy as the User Agent approach, because it will require more bikeshedding, but I suppose it is the 'right way' to do it.
I think the right thing to do is figure out how to make Canvas not fingerprintable once and for all. Until that's figured out though, I think solving #1 is okay. I guess I worry that we'd spend forever bikeshedding on something that we hope to throw away once Canvas Fingerprinting is 'solved'.
I think the solution to #2 is a good one but I agree the amount of work we'd need to do to establish it is pretty high and might not be worth it. So, yes, doing something along the lines you outlined above to fix #1 seems reasonable to me. Is there a bug for that on Mozilla's Bugzilla already? I don't understand, though, why this is an issue for Tor Browser at all right now as the combination of "comes from a Tor exit AND is using the Tor Browser user agent" could pretty easily be used to decide whether to show the canvas warning or not, without adding additional strings to our User Agent which then would get sent with *every* request. We don't support Tor being used in other browsers than Tor Browser at the moment which makes that approach okay for me. Things might break in that scenario for non-Tor Browser users that have configured their browser to use Tor, yes, but they are very likely already in trouble by not using Tor Browser anyway. Georg
On Nov 17, 2017 3:49 AM, "Georg Koppen" <gk@torproject.org> wrote: I don't understand, though, why this is an issue for Tor Browser at all right now as the combination of "comes from a Tor exit AND is using the Tor Browser user agent" could pretty easily be used to decide whether to show the canvas warning or not, without adding additional strings to our User Agent which then would get sent with *every* request. The script runs client side in JavaScript and is designed to require no setup by users who deploy the WordPress themes. With those requirements WordPress would have to call out to a third party API - either us or themselves, both bad options. -tom
On Fri, Nov 3, 2017 at 12:06 PM Tom Ritter <tom@ritter.vg> wrote: Wordpress would like to detect Tor Browser so it doesn't perform the
check and therefore doesn't pop the prompt. This would significantly reduce the number of prompts Tor Browser users are seeing.
I think a possibly good way to avoid the prompt might be a method Tom and Mark suggested before: block image extraction without showing the prompt unless the extraction attempt happens following a user interaction: https://bugzilla.mozilla.org/show_bug.cgi?id=1376865 And indeed this would provide scripts a way of silently checking for canvas fingerprinting protection. On load, draw on a canvas and attempt to extract: if the returned image is blank, the page knows not to do it again after a user interaction.
That's a workable solution for this particular issue - but it seems convoluted advice to give to website authors. An extensible, semi-standard API is a lot less complicated. To answer Georg's question: no there is no bug for this. I'd have to go hunting to see who I need to get permission from to add something non-standard like this into the DOM actually... -tom On 17 November 2017 at 08:36, Arthur D. Edelstein <arthuredelstein@gmail.com> wrote:
On Fri, Nov 3, 2017 at 12:06 PM Tom Ritter <tom@ritter.vg> wrote:
Wordpress would like to detect Tor Browser so it doesn't perform the check and therefore doesn't pop the prompt. This would significantly reduce the number of prompts Tor Browser users are seeing.
I think a possibly good way to avoid the prompt might be a method Tom and Mark suggested before: block image extraction without showing the prompt unless the extraction attempt happens following a user interaction:
https://bugzilla.mozilla.org/show_bug.cgi?id=1376865
And indeed this would provide scripts a way of silently checking for canvas fingerprinting protection. On load, draw on a canvas and attempt to extract: if the returned image is blank, the page knows not to do it again after a user interaction.
_______________________________________________ tbb-dev mailing list tbb-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tbb-dev
participants (4)
-
Arthur D. Edelstein -
Georg Koppen -
Roger Dingledine -
Tom Ritter