[tbb-bugs] #29566 [Applications/Tor Browser]: math.cos reveals OS

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat Feb 23 08:36:28 UTC 2019

#29566: math.cos reveals OS
 Reporter:  Thorin              |          Owner:  tbb-team
     Type:  defect              |         Status:  new
 Priority:  Medium              |      Component:  Applications/Tor Browser
  Version:                      |       Severity:  Normal
 Keywords:  tbb-                |  Actual Points:
  fingerprinting-os             |
Parent ID:                      |         Points:
 Reviewer:                      |        Sponsor:
 **part1: background / obsolete code?**

 I can't find the old ticket, but it's probably relevant- it was about the
 implementation of higher math functions

 see: https://ghacksuserjs.github.io/TorZillaPrint/TorZillaPrint.html#math
 also see: https://fpcentral.tbb.torproject.org/fp

 However (unless I made a mistake), I see **no difference** in these
 returned values in a vanilla ESR60, or FF60 thru to 66 as compared to Tor
 Browser. So I am not sure if the old patch is still required, or has even
 been rebased.

 asinh(1) `0.8813735870195429`
 acosh(1e300) `Infinity`
 atanh(0.5) `0.5493061443340548`
 expm1(1) `1.7182818284590455`
 cbrt(100) `4.641588833612778`
 log1p(10) `2.3978952727983707`
 sinh(1) `1.1752011936438016`
 cosh(10) `11013.232920103324`
 tanh(1) `0.7615941559557649`

 **part2: math.cos Windows: FF vs TB**

 results: see attachment
 test: https://thorin-oakenpants.github.io/testing/ (for as long as I leave
 it there)

 I do not know if that ticket/patch causes this, but there is a difference
 between TB vs FF for no discernible reason (e.g Linux doesn't differ
 between FF and TB)

 Look at the first result. FF: `minus 0.374...` vs TB `plus 0.840...`

 **part3: math.cos reveals platform**

 finally, to the meat and potatoes. See attachment. I'm using math.cos
 because it always returns a value between -1 and 1 (i.e no NaN or
 Infinity). The following tests show that, so far, the last four values can
 be used to detect windows or Linux, and so far one Android major version
 (v5.*). I am fully expecting the first four value to betray other Android
 and macOS/macOS X. My testing is incomplete, but enough to prove os FP'ing

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29566>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list