[tbb-bugs] #27268 [Applications/Tor Browser]: preferences cleanup

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun Aug 26 05:12:23 UTC 2018

#27268: preferences cleanup
 Reporter:  rzb                              |          Owner:  tbb-team
     Type:  defect                           |         Status:  new
 Priority:  Medium                           |      Milestone:
Component:  Applications/Tor Browser         |        Version:
 Severity:  Normal                           |     Resolution:
 Keywords:  ff60-esr, TorBrowserTeam201808R  |  Actual Points:
Parent ID:                                   |         Points:
 Reviewer:                                   |        Sponsor:

Comment (by Thorin):

 Replying to [comment:6 gk]:
 > A user on the blog mentioned a bunch of resistfingerprinting related
 prefs ...

 I created an account just so I could talk to you guys :). THIS is not an
 issue in terms of changing TBB's fingerprint, because TBB can enforce/lock
 prefs and set their own default values. It is only for FF users, because
 any pref different from default that alters the FF FP is not good. When
 RFP becomes front facing in FF, very few users would tinker under the hood
 with about:config, so the vast majority would be at defaults

 https://github.com/ghacksuserjs/ghacks-user.js/issues/222 - here is a look
 at some of the earlier RFP patches and how they can alter the FP (any
 subsequent "clashes" are maintained in the user.js itself, under section
 4600). e.g
 - media.video_stats.enabled=false disables the API, but RFP returns
 dynamically spoofed values
 - dom.netinfo.enabled=false returns "unknown: but RFP returns "undefined"

 I emailed Arthur over 24 hrs ago, but he must have misread me. I wanted to
 point you guys to this -> https://github.com/ghacksuserjs/ghacks-

 Any pref we have enforced or flipped in the user.js over the years (and we
 only deal with security/privacy/anti-FP etc prefs), when it is deprecated,
 ends up in this sticky. We capture all diffs between FF releases and the
 issue linked above provides hyperlinks to eacha nd every bugzilla as
 source for the pref's removal/renaming etc. It's also grouped by FF
 release, so you can just have at it and check everything from 59 back.
 Just wanted to save you some time.

 I don't want to go OT, but HWA being turned on is an issue. We have a PoC
 that uses timing to get history leaks, and HWA=off is the only thing that
 makes it fail. Which is why I am waiting to see what YOU guys do with the
 all the perf/timing prefs (please don't follow my lead, or it will be the
 tail wagging the dog). See https://github.com/ghacksuserjs/ghacks-

 Arthur: Tom Ritter was given the info on the timing attack PoC

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27268#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list