[tbb-bugs] #24521 [Applications/Tor Browser]: Investigate Making Canvas Unfingerprintable
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Dec 4 20:42:52 UTC 2017
#24521: Investigate Making Canvas Unfingerprintable
Reporter: tom | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
If we can make <canvas> unfingerprintable, we could remove the permission
prompt. I wanted to capture the discussion on this here.
From long ago, what needed to be fixed to make <canvas> unfingerprintable:
# software rendering
# system colors were standardized
# and the browser shipped a fixed collection of fonts
I believe we have patches for 2 and 3.
1 is doable (see below).
But the font stuff is still tricky. See #16672 which is an example of the
same OS (but different versions of it) rendering the same font
And #17999 which is the default GUI font allowing distinguishing the
version of the gUI. (That's not specific *to* canvas but it does probably
13:48:11 T<tjr> mstange: After talking with the Tor folks, there were
three main areas for canvas fingerprinting: fonts (we can partly that),
system colors (we can handle that), and software rendering.
13:48:14 T<tjr> But the font stuff is trickier than I thought at first.
While we can whitelist fonts, it turns out the same font is sometimes
rendered differently in different versions of the same OS, and that
different versions of the same OS can be fingerprinted by the default font
13:48:17 T<tjr> We suspect there are other vectors inside canvas, but
switching to software rendering would be a big help. Is that easy to do?
Tor would consider shipping that in an Alpha.
13:49:45 M<mstange> tjr: interesting!
13:49:59 M<mstange> switching to Skia software is as easy as setting
gfx.canvas.azure.backends to "Skia" and gfx.canvas.azure.accelerated to
13:50:51 M<mstange> for system-setting-dependent font rendering, maybe we
can add a way of rendering fonts into canvas that does not respect any
13:51:16 M<mstange> lsalzman: how hard would that be? maybe we could ship
some ugly freetype rasterization on all platforms?
13:51:25 L<lsalzman> how hard would what be?
13:51:35 M<mstange> "add a way of rendering fonts into canvas that does
not respect any system settings"
13:51:56 L<lsalzman> depends what that means
13:52:04 L<lsalzman> if you mean using freetype on all platforms, that
would be insane right now
13:52:09 M<mstange> ok
13:52:10 L<lsalzman> we're not architected for that
13:52:29 L<lsalzman> we have a lot of assumptions built in like, if you're
on windows, you're using dwrite, etc.
13:53:13 M<mstange> I'm looking for a way to render fonts that doesn't
leak any more bits of entropy than the OS you're on
13:53:14 L<lsalzman> i mean, you can certainly make dwrite rendering ugly
and standardized to some degree
13:53:35 L<lsalzman> but forcing things like gamma, contrast, AA, hinting,
to known values
13:53:46 L<lsalzman> that's somewhat what Chrome does already ;)
13:53:57 M<mstange> that sounds interesting
13:54:22 L<lsalzman> the gfx.font_rendering.cleartype_params already allow
this, i think
13:54:36 L<lsalzman> there may be some cases where they're not properly
respected everywhere, though
13:54:58 M<mstange> thanks
13:55:23 M<mstange> tjr: ^ this seems like a good place to start
13:56:40 L<lsalzman> linux settings will be hell because of fontconfig
13:56:47 L<lsalzman> no idea what we're doing as far as prefs on mac
13:57:13 ⇐ pcwalton quit (pcwalton at moz-vhk0rb.hfc.comcastbusiness.net)
13:57:30 M<mstange> I don't think there are any prefs on mac, other than
the 1 bit "allow font smoothing" pref
13:58:01 M<mstange> and now that we know that we can override it with
CGContextSetAllowsFontSmoothing, this one shouldn't be a problem either :)
13:59:11 T<tjr> When you say fontconfig, is that taking into account that
we are planning to bundle and whitelist what fonts are available to the
browser (when privacy.resistFingerprinting is enabled)?
One idea would be to enable system rendering, do some due diligence on if
_we_ can detect anything, and if not, put it in the Alpha and allow bug
bounty folks to poke at it.
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24521>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs