[tor-bugs] #17207 [Tor Browser]: Testing navigator.mimeTypes for known names can reveal info and increase fingerprinting risk

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Oct 2 19:19:25 UTC 2015


#17207: Testing navigator.mimeTypes for known names can reveal info and increase
fingerprinting risk
-------------------------------+----------------------------
     Reporter:  TemporaryNick  |      Owner:  tbb-team
         Type:  defect         |     Status:  new
     Priority:  normal         |  Milestone:
    Component:  Tor Browser    |    Version:
   Resolution:                 |   Keywords:  fingerprinting
Actual Points:                 |  Parent ID:
       Points:                 |    Sponsor:
-------------------------------+----------------------------

Comment (by TemporaryNick):

 I uploaded an example, which tests only the application types listed by
 IANA.  There are other types than can be checked and there are an unknown
 number of types that aren't registered with IANA.

 I think the issue is that when you check for a MIME Type in this way, the
 browser checks with the OS to see whether the MIME Type has been
 registered.  Which MIME Types are registered depends on which application
 software and/or drivers the user chose to install.  My test results were
 different on different Windows systems.  I was, however,  testing with a
 more comprehensive list than that shown in the demonstration.

 I think the place to start may be nsMimeTypeArray.cpp, and what happens
 when you check for a named item.  I found someone talking about this type
 of issue and approaching it via GreaseMonkey script.  They mentioned that
 websites frequently test for some specific MIME Types, so simply blocking
 named lookups may not be practical.

 I don't know enough to tackle this issue.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17207#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list