[tor-bugs] #13543 [Tor Browser]: HTML5 media support may lead to OS fingerprinting (was: Tor Browser 4 loads external plugins)

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Oct 23 21:55:35 UTC 2014 

#13543: HTML5 media support may lead to OS fingerprinting
-----------------------------+-----------------------------------
     Reporter:  cypherpunks  |      Owner:  tbb-team
         Type:  defect       |     Status:  new
     Priority:  normal       |  Milestone:
    Component:  Tor Browser  |    Version:
   Resolution:               |   Keywords:  tbb-fingerprinting-os
Actual Points:               |  Parent ID:
       Points:               |
-----------------------------+-----------------------------------
Changes (by mikeperry):

 * keywords:  tbb-fingerprinting => tbb-fingerprinting-os


Comment:

 I reviewed the coupling for gstreamer and other codecs on Linux, MacOS,
 and Windows (see content/media in the Firefox source tree), and it appears
 that the actual networking is performed over nsIChannels, which should be
 proxied. See #13020. The only exception I found was for Android, where
 RTSP could be used, which uses UDP and not nsIChannels.

 Granted the fact that these codecs are binary may mean that they do all
 sorts of strange things, so prefs to disable these codecs may still be
 useful for the security slider (#9387). We already were thinking of
 disabling everything but WebM and VP8-9 at the high security level there.

 As for fingerprinting, OS fingerprinting is the next cliff of
 fingerprinting issues, and I suspect a lot of things actually allow the OS
 type to be inferred in various ways. I think trying to solve the OS
 fingerprinting issues before dealing with more serious things that
 actually allow more detailed inference about the computer may be a
 mistake, especially when it comes at the cost of functionality. Hence I'm
 trying to break out the fingerprinting issues that likely only yield the
 OS type into their own sub-tag (tbb-fingerprinting-os).

 That said, if different people's computers may have different versions of
 these codecs installed because of third party software or OS
 localization/version differences, and that fact is still detectable, then
 this may be a more serious concern.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13543#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list