[tbb-dev] Canvas Breakage Ideas

Sat Jun 13 14:32:15 UTC 2020

On Fri, Jun 12, 2020 at 06:56:22PM +0000, Tom Ritter wrote:
> That's typically the first tact to take to test fingerprinting; but it 
> can only prove a positive difference, it can't prove a negative.

Yes, it wouldn't be a comprehensive test but would add some weight to our theories. Also, as David pointed out, we should probably include quality levels in our test.

> From your description, if JPEG compression is deterministic then
> toDataURL is deterministic. I bountied 
> https://stackoverflow.com/questions/25303201/does-lossy-decompression-
> always-generate-same-output
> to try to figure out.

Yup, it seems so, but toDataURL doesn't necessarily need to be deterministic for us to implement this feature since we will only allow toDataURL calls if the canvas was "untainted"; that is, it only has user-uploaded data. Thus, unless the attacker can get everyone to upload the same image, they will not be able to distinguish between users via subtle differences.

> Also, FWIW I think we are at the point where if we aren't ready to
> implement, we should document this idea in a tbb-spec so it doesn't
> get lost.

I vote draft tbb-spec. There still seems to be a lot of wiggle room (for instance, what operations are "tainting") in designing this feature and getting the design all fleshed out before writing code might help save time and prevent confusion in the future.

Best,
Sanketh

-----Original Message-----
From: tbb-dev <tbb-dev-bounces at lists.torproject.org> On Behalf Of David Fifield
Sent: June 12, 2020 3:36 PM
To: tbb-dev at lists.torproject.org
Subject: Re: [tbb-dev] Canvas Breakage Ideas

On Fri, Jun 12, 2020 at 06:56:22PM +0000, Tom Ritter wrote:
> On Tue, 2 Jun 2020 at 02:20, Sanketh Menda <sgmenda at uwaterloo.ca> wrote:
> > > We also tested the impact of compressing a canvas rendering to the 
> > > JPEG format. It should be noted that the JPEG compression comes 
> > > directly from the Canvas API and is not applied after collection. 
> > > Due to the lossy compression, it should come as no surprise that 
> > > the entropy from JPEG images is lower than the PNG one usually 
> > > used by canvas fingerprinting tests (from 0.407 to 0.391)
> >
> > Is there an easy way for us to do a study on this? Specifically, fix 
> > a random image, and then on a bunch of different computers, read the 
> > image and then do a `toDataURL('image/xxx')` for each of the formats.
> 
> That's typically the first tact to take to test fingerprinting; but it 
> can only prove a positive difference, it can't prove a negative.
> 
> >From your description, if JPEG compression is deterministic then
> toDataURL is deterministic. I bountied 
> https://stackoverflow.com/questions/25303201/does-lossy-decompression-
> always-generate-same-output
> to try to figure out.

With toDataURL("image/jpeg"), you can also specify the quality level.
DIfferent quality levels do result in different compressed outputs, even with a blank canvas. I did a quick test of this in 2018 (probably using whatever Firefox ESR was at the time) and saved partial results:
	>> c = document.createElement("canvas")
	>> c.width = 100
	>> c.height = 100
	>> urls = [0.0, 0.25, 0.5, 0.75, 1.0].map(q => c.toDataURL("image/jpeg", q))
	>> urls.map(x => x.length)
	Array [ 1119, 1119, 1123, 1123, 1255 ]
	>> urls.map(x => x.substr(-10))
	Array [ "ACiiigD//Z", "oAKKKKAP/Z", "iigD//2Q==", "oooA//2Q==", "CgAoAKAP/Z" ]

Running the same console commands today in Firefox 68.9.0esr produces the same output.
_______________________________________________
tbb-dev mailing list
tbb-dev at lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tbb-dev