[tbb-bugs] #32861 [Applications/Tor Browser]: "Fingerprint.js PRO" successfully fingerprints Tor Browser

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Dec 31 05:31:18 UTC 2019


#32861: "Fingerprint.js PRO" successfully fingerprints Tor Browser
--------------------------------------+--------------------------
 Reporter:  printerman22              |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  tbb-fingerprinting        |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------
Changes (by Thorin):

 * keywords:  fingperint, fingerpriting => tbb-fingerprinting
 * cc: tom (added)


Comment:

 it's linking "previous" visits by the id hash it generates

 so how does it compute the id hash?
  - `view-source:https://fingerprintjs.com/dist/demo.js`
  - `https://unminify.com/` - unminify it = 31K+ lines

 This looks like some sort of JS attack template (don't let the word
 "attack" alarm you): in other words it's checking everything it possibly
 can including the kitchen sink. The code is using very short variables,
 but it's easy enough to spot "normal/established" fingerprinting like
 screen measurements, font lists, canvas, glyphs, etc. And if each TB
 stable release per OS is not tinkered with, then the rest (the JS attack
 part) should be the same for everybody in that group (there will most
 likely be entropy between major OS versions, and probably between Linux
 distros).

 Here's some basic tests/proofs:
 - change your reported inner window size: id changes
 - **remember to reset this**: flip `dom.webaudio.enabled`: id changes
 - ^^ ditto for flipping for all sorts of APIs on/off


 TB users are advised to stay at default window size, and not to mess with
 settings. And here's the thing: it told me on my first visit that I've
 visited before, but I haven't (AFAICRemember, certainly not in the last 12
 hours, or 3 days, and not with these TB builds). It did this to me twice:
 once on stable, once on alpha: both had different ids due to a different
 window size. In other words: yes there is entropy across stable TB
 versions (OS limitations such as available screen height -> inner window,
 OS fonts, OS widgets measurements and font, and so on), but there are
 still numbers of users per configuration (but... see `note` below)

 It's so easy / trivial to get the id to change (which is why a JS attack
 template is not a good real world application for security checks, IMO),
 but the fact my TB's id by default (for me on Windows = probably popular:
 not so much you on Mac OS Catalina) tells me I had already visited (when I
 hadn't) tells me that TB's anti-fingerprinting is working to some degree.
 `note`: that said, we already know other areas that need work (see `tbb-
 fingerprinting` bugs), and I/we have PoCs for them (such as clientRect:
 e.g the domrect test at TZP combines this with your default font and
 widget).

 Howver, this is a bit of a nightmare script to output and debug. Maybe tom
 or gk or someone else can "debug" it a little? But AFAIConcerned, this is
 wasted time and I have other yaks to shave :)

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/32861#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tbb-bugs mailing list