[tbb-bugs] Tor Browser Fingerprinting, status as of today

[Jose Carlos Norte]

Hi,

I have written an article about Tor Browser fingerprinting and thought It
would be nice to share it here to discuss the impact and possible solutions
of the vectors mentioned:

http://jcarlosnorte.com/security/2016/03/06/advanced-tor-browser-fingerprinting.html

Basically, the fingerprinting of the browser is bases on:

1. Measuring time with better accuracy than 100ms using CSS3 animation
events or a simple webworker with setinterval 1ms and a variable increments

2. Using the bettter clock accuracy, benchmark CPU using javascript

3. Mousewheel events behave differently under different hardware

4. Mouse events happens at different speeds for different software
configurations

5. the most surprising one: getClinectRects works like a charm in tor
browser as of today, and reports exact position and sizes in pixels of a
given DOM element, revealing a lot of entropy, since each user computer is
going to draw boxes slightly different

I'm not suprised about the CPU benchmark, its an easy one, but i guess it
doesn't reveal a lot of entropy. What is surprising is how easy it was to
fingerprint a tor browser user using getClientRects.

ATM it is super easy to use a hash function to create a hash from the
output of getclientrects, valid for recognizing a tor browser user in any
moment of the future, any page he visits.

And the other entropy leaks, can be used to get more accuracy in the
identification, if the hash of getclientrects matches more than user.

Regards,
joca.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tbb-bugs/attachments/20160306/4091986b/attachment.html>