[tor-bugs] #13021 [Tor Browser]: Review Canvas APIs for fingerprintability
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Sep 17 06:21:43 UTC 2014
#13021: Review Canvas APIs for fingerprintability
-------------------------+-------------------------------------------------
Reporter: | Owner: brade
mikeperry | Status: assigned
Type: task | Milestone:
Priority: major | Version:
Component: Tor | Keywords: ff31-esr, tbb-fingerprinting,
Browser | TorBrowserTeam201409
Resolution: | Parent ID:
Actual Points: |
Points: |
-------------------------+-------------------------------------------------
Comment (by dcf):
Replying to [comment:6 gacar]:
> Replying to [comment:5 mcs]:
> > Kathy and I also reviewed the canvas APIs. Here are a few of our
observations:
>
> > * We have not done anything to block use of isPointInPath() and
isPointInStroke(). Do we need to block these?
> >
>
> I could not find any way to exploit those two for fingerprinting, but
better someone else give a shot too.
>
> Some canvas fingerprinting scripts found to use isPointInPath() with
"even-odd" winding rule, but I think this was just to check browser
support - will be same for all TBs. Unless someone says "the internal
representations of the paths may depend on the graphics stack too!"
It might be possible to get some mileage out of floating-point precision
issues. For example, attachment:path.html draws quarter-circles in
different ways (with `arc` and `bezierCurveTo` and `quadraticCurveTo`) and
with different transformation matrices, and then tests points right on the
perimeter of the circle.
I see different fingerprints in different versions of Firefox on the same
system, and the same version of Tor Browser on different operating
systems. I didn't get different fingerprints for the same Tor Browser on
the same OS, but I only tried three installations.
The fingerprint I get with Tor Browser 4.0-alpha-2 on Debian is:
{{{
arc
( T F F F T T ) ( T F F F T T ) ( T F F F T T )
arc prerotated
( F F F T T T ) ( F F F T T T ) ( F F F T T T )
bezierCurve
( T F F F T T ) ( T F F F T T ) ( T F F F T T )
bezierCurveTo prerotated
( F F F T T T ) ( F F F T T T ) ( F F F T T T )
quadraticCurve
( T T T T T T ) ( T T T T T T ) ( T T T T T T )
quadraticCurve prerotated
( F F F T T T ) ( F F F T T T ) ( F F F T T T )
}}}
We can guess that the underlying representation for `arc` is a cubic
Bezier, because the corresponding rows match. The one for Firefox 31 on
the same Debian is a little different:
{{{
arc
( T F F F T T ) ( T F F F T T ) ( T F F F T T )
arc prerotated
( F F F T T T ) ( F F F T T T ) ( F F F F T T )
bezierCurve
( T F F F T T ) ( T F F F T T ) ( T F F F T T )
bezierCurveTo prerotated
( F F F T T T ) ( F F F T T T ) ( F F F F T T )
quadraticCurve
( T T T T T T ) ( T T T T T T ) ( T F T F T T )
quadraticCurve prerotated
( F F F T T T ) ( F F F T T T ) ( F F F F T T )
}}}
Tor Browser 4.0-alpha-1 on Windows 8 is:
{{{
arc
( T T T T T T ) ( F T T T T T ) ( F T F F F T )
arc prerotated
( F F F T T T ) ( F F F T T T ) ( F F T T F T )
bezierCurve
( T T T T T T ) ( F T T T T T ) ( F T F F F T )
bezierCurveTo prerotated
( F F F T T T ) ( F F F T T T ) ( F F T T F T )
quadraticCurve
( T T T T T T ) ( F T T T T T ) ( F T F F F T )
quadraticCurve prerotated
( F F F T T T ) ( F F F T T T ) ( F F T T F T )
}}}
The fact that the result of isPointInPath can change just by applying a
different transformation matrix (even though the test point gets
multiplied by the same matrix) shows that there are probably some
measurable precision issues. Whether they could ever distinguish the same
Firefox on the same OS, I don't know.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13021#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list