[tbb-bugs] #24521 [Applications/Tor Browser]: Investigate Making Canvas Unfingerprintable

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Dec 4 20:42:52 UTC 2017

#24521: Investigate Making Canvas Unfingerprintable
     Reporter:  tom                       |      Owner:  tbb-team
         Type:  defect                    |     Status:  new
     Priority:  Medium                    |  Milestone:
    Component:  Applications/Tor Browser  |    Version:
     Severity:  Normal                    |   Keywords:
Actual Points:                            |  Parent ID:
       Points:                            |   Reviewer:
      Sponsor:                            |
 If we can make <canvas> unfingerprintable, we could remove the permission
 prompt. I wanted to capture the discussion on this here.

 From long ago, what needed to be fixed to make <canvas> unfingerprintable:

  # software rendering
  # system colors were standardized
  # and the browser shipped a fixed collection of fonts

 I believe we have patches for 2 and 3.

 1 is doable (see below).

 But the font stuff is still tricky. See #16672 which is an example of the
 same OS (but different versions of it) rendering the same font

 And #17999 which is the default GUI font allowing distinguishing the
 version of the gUI. (That's not specific *to* canvas but it does probably
 *affect* canvas.)

 13:48:11 T<tjr> mstange: After talking with the Tor folks, there were
 three main areas for canvas fingerprinting: fonts (we can partly that),
 system colors (we can handle that), and software rendering.
 13:48:14 T<tjr> But the font stuff is trickier than I thought at first.
 While we can whitelist fonts, it turns out the same font is sometimes
 rendered differently in different versions of the same OS, and that
 different versions of the same OS can be fingerprinted by the default font
 13:48:17 T<tjr> We suspect there are other vectors inside canvas, but
 switching to software rendering would be a big help. Is that easy to do?
 Tor would consider shipping that in an Alpha.
 13:49:45 M<mstange> tjr: interesting!
 13:49:59 M<mstange> switching to Skia software is as easy as setting
 gfx.canvas.azure.backends to "Skia" and gfx.canvas.azure.accelerated to
 13:50:51 M<mstange> for system-setting-dependent font rendering, maybe we
 can add a way of rendering fonts into canvas that does not respect any
 system settings
 13:51:16 M<mstange> lsalzman: how hard would that be? maybe we could ship
 some ugly freetype rasterization on all platforms?
 13:51:25 L<lsalzman> how hard would what be?
 13:51:35 M<mstange> "add a way of rendering fonts into canvas that does
 not respect any system settings"
 13:51:56 L<lsalzman> depends what that means
 13:52:04 L<lsalzman> if you mean using freetype on all platforms, that
 would be insane right now
 13:52:09 M<mstange> ok
 13:52:10 L<lsalzman> we're not architected for that
 13:52:29 L<lsalzman> we have a lot of assumptions built in like, if you're
 on windows, you're using dwrite, etc.
 13:53:13 M<mstange> I'm looking for a way to render fonts that doesn't
 leak any more bits of entropy than the OS you're on
 13:53:14 L<lsalzman> i mean, you can certainly make dwrite rendering ugly
 and standardized to some degree
 13:53:35 L<lsalzman> but forcing things like gamma, contrast, AA, hinting,
 to known values
 13:53:46 L<lsalzman> that's somewhat what Chrome does already ;)
 13:53:57 M<mstange> that sounds interesting
 13:54:22 L<lsalzman> the gfx.font_rendering.cleartype_params already allow
 this, i think
 13:54:36 L<lsalzman> there may be some cases where they're not properly
 respected everywhere, though
 13:54:58 M<mstange> thanks
 13:55:23 M<mstange> tjr: ^ this seems like a good place to start
 13:56:40 L<lsalzman> linux settings will be hell because of fontconfig
 13:56:47 L<lsalzman> no idea what we're doing as far as prefs on mac
 13:57:13 ⇐ pcwalton quit (pcwalton at moz-vhk0rb.hfc.comcastbusiness.net)
 Client exited
 13:57:30 M<mstange> I don't think there are any prefs on mac, other than
 the 1 bit "allow font smoothing" pref
 13:58:01 M<mstange> and now that we know that we can override it with
 CGContextSetAllowsFontSmoothing, this one shouldn't be a problem either :)
 13:59:11 T<tjr> When you say fontconfig, is that taking into account that
 we are planning to bundle and whitelist what fonts are available to the
 browser (when privacy.resistFingerprinting is enabled)?

 One idea would be to enable system rendering, do some due diligence on if
 _we_ can detect anything, and if not, put it in the Alpha and allow bug
 bounty folks to poke at it.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24521>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list