[tor-bugs] #4810 [TorBrowserButton]: Weird screen sizes reported by Panopticlick

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Wed Jan 25 22:39:51 UTC 2012


#4810: Weird screen sizes reported by Panopticlick
------------------------------+---------------------------------------------
 Reporter:  erikd             |          Owner:  mikeperry         
     Type:  defect            |         Status:  needs_revision    
 Priority:  normal            |      Milestone:                    
Component:  TorBrowserButton  |        Version:  Torbutton: 1.4.4.1
 Keywords:                    |         Parent:                    
   Points:                    |   Actualpoints:                    
------------------------------+---------------------------------------------
Changes (by mikeperry):

  * status:  assigned => needs_revision
 * cc: pde (added)


Comment:

 Ok, so first off, this is not as big an issue as it seems:
 https://blog.torproject.org/blog/effs-panopticlick-and-torbutton

 However, enough people seem to be going to Panoptlick and becoming
 concerned that we should try to do something to combat the FUD.

 Right now, what torbutton does is to pick an initial window size in
 200x100 increments based on your desktop resolution. This should only
 result in a handful combinations for most monitor sizes. It then reports
 this browser resolution as your desktop resolution. The problem with this
 wrt Panopticlick is that the resulting values are not popular desktop
 resolutions.

 The problem for us is that providing different values that are in any way
 related to your real desktop resolution will actually leak more
 information than what we do currently.

 However, there may be a solution where we either alter the set of initial
 window sizes to be actual common-ish desktop resolutions that happen to be
 smaller than your current desktop, or we just assign a fixed mapping from
 each of these window sizes to a fake desktop size that is larger (but
 ideally within a sane bound of the current desktop).

 This fixed-mapping approach should result in the same total joint entropy,
 because there are exactly the same number of possible values, but the
 desktop sizes happen to look nicer to panopticlick because they are more
 common. I think it is worth doing this to reduce the FUD about Torbutton
 and TBB.

 The code that sets the initial window size is in
 torbutton_set_window_size():
 https://gitweb.torproject.org/torbutton.git/blob/master:/src/chrome/content/torbutton.js#l4063

 Note that this code is at a different privilege level than the code in
 jshooks4.js. You can only get values into jshooks4.js by smuggling them in
 the torbutton_hookdoc() function:
 https://gitweb.torproject.org/torbutton.git/blob/master:/src/chrome/content/torbutton.js#l4459

 Does this make sense?

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/4810#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list