[tor-bugs] #15646 [Tor Browser]: KeyboardEvent may allow fingerprinting of keyboard layout
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Jun 17 19:13:20 UTC 2015
#15646: KeyboardEvent may allow fingerprinting of keyboard layout
-------------------------+-------------------------------------------------
Reporter: | Owner: arthuredelstein
cypherpunks | Status: needs_review
Type: defect | Milestone:
Priority: major | Version:
Component: Tor | Keywords: ff38-esr, tbb-fingerprinting, tbb-5
Browser | .0a-highrisk, TorBrowserTeam201506
Resolution: | Parent ID:
Actual Points: |
Points: |
-------------------------+-------------------------------------------------
Changes (by arthuredelstein):
* status: assigned => needs_review
Comment:
Here's a patch for review:
https://github.com/arthuredelstein/tor-
browser/commit/a409f8ffa3a26a3d96c5bba8ff6caa4e0b8d61db
To summarize: I provide consensus (US-English-style) fake properties for
`KeyboardEvent`, namely `code`, `keyCode`, `location` and `shiftKey`. So,
for example, if the user types `?`, the result will be `code = 'Slash'`,
`keyCode = 191`, `shiftKey = true`, `location = 0`, regardless of the
keyboard layout. Numbers are always reported as arriving from the keys
located above "QWERTY", even if they are typed on the NumPad.
Note that for now I have focused on ASCII (US English) characters and
standard keyboard control keys. Characters from other languages will
simply return a `KeyboardEvent.keyCode` of 0 and an empty `Keyboard.code`.
It should be straightforward to spoof `.keyCode` and `.code` for higher
unicode points, but I think it makes sense to postpone that for another
ticket while this approach is reviewed and perhaps tested by users in an
alpha.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15646#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list