[tor-bugs] #15646 [Tor Browser]: KeyboardEvent may allow fingerprinting of keyboard layout

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Jul 21 13:24:47 UTC 2015 

#15646: KeyboardEvent may allow fingerprinting of keyboard layout
-------------------------+-------------------------------------------------
     Reporter:           |      Owner:  arthuredelstein
  cypherpunks            |     Status:  needs_revision
         Type:  defect   |  Milestone:
     Priority:  major    |    Version:
    Component:  Tor      |   Keywords:  ff38-esr, tbb-fingerprinting, tbb-5
  Browser                |  .0a-highrisk, TorBrowserTeam201507R,
   Resolution:           |  GeorgKoppen201507R, tbb-5.0a4
Actual Points:           |  Parent ID:
       Points:           |
-------------------------+-------------------------------------------------
Changes (by gk):

 * status:  needs_review => needs_revision


Comment:

 This looks better now. But we should give default values for `altKey` and
 `ctrlKey` as well (maybe even `metaKey`, too?) as not doing so might
 reveal the underlying keyboard layout (or maybe better: it might exclude
 possible keyboard layouts) as well:

 German keyboard layout

 {{{
 event = keydown
 key = |
 charCode = 0
 which = 220
 code = Backslash
 keyCode = 220
 location = 0
 altKey = true
 ctrlKey = true
 metaKey = false
 shiftKey = true
 }}}

 English keyboard layout

 {{{
 event = keydown
 key = |
 charCode = 0
 which = 220
 code = Backslash
 keyCode = 220
 location = 0
 altKey = false
 ctrlKey = false
 metaKey = false
 shiftKey = true
 }}}

 Two nits:

 {{{
 // KEY and SHIFT Assign
 }}}
 s/Assign/assign

 {{{
 #define KEY_INTERNAL(key, code, keyCode, shift)                    \
 }}}
 It seems you wanted to align the backslashes but forgot one whitespace
 here?

 Re: comment:6 I think the approach is okay. Could you take care of filing
 the new ticket you mentioned there? And a new ticket about investigating
 the possible initialization race Mike mentioned (or maybe you are already
 sure that can't bite us?)?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15646#comment:23>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list