[tbb-bugs] #17009 [Tor Browser]: Shift and Alt keys leak physical Keyboard layout
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Sep 8 06:33:26 UTC 2015
#17009: Shift and Alt keys leak physical Keyboard layout
-------------------------------------------------+-------------------------
Reporter: arthuredelstein | Owner: tbb-
Type: defect | team
Priority: normal | Status: new
Component: Tor Browser | Milestone:
Keywords: tbb-fingerprinting, | Version:
TorBrowserTeam201509R | Actual Points:
Parent ID: | Points:
-------------------------------------------------+-------------------------
In our patch for #15646, we spoofed the KeyboardEvent.code and
KeyboardEvent.keyCode, so that a KeyboardEvent for a given character
always reports the same physical key regardless of the true keyboard
layout. However, it is still possible to deduce keyboard layout by looking
at key combinations. For example, on an
[https://en.wikipedia.org/wiki/AZERTY AZERTY] keyboard such as those used
in France, the digit keys (1,2,3...0) require that the user press the
Shift key. Even though we spoof the keyboardEvent.shiftKey flag to false
for digit keys, it's easy to see when Shift is depressed by monitoring the
keyup and keydown events that the Shift key generates on its own. So that
gives a method of distinguished QWERTY and AZERTY keyboards. There are
similar issues with Alt and Shift+Alt generating special characters.
So I would suggest suppressing all keyup and keydown events for the Shift
and Alt keys.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17009>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list