[tor-bugs] #10286 [Applications/Tor Browser]: Touch events leak absolute screen coordinates
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Apr 26 16:09:44 UTC 2017
#10286: Touch events leak absolute screen coordinates
-------------------------------------------------+-------------------------
Reporter: mikeperry | Owner:
| arthuredelstein
Type: defect | Status:
| needs_review
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-fingerprinting-resolution, | Actual Points:
ff52-esr, tbb-testcase, tbb-firefox-patch, |
TorBrowserTeam201704R, tbb-7.0-must-alpha |
Parent ID: | Points:
Reviewer: | Sponsor:
| Sponsor4
-------------------------------------------------+-------------------------
Comment (by arthuredelstein):
I have thought some more and I now think my reasoning in comment:24 is
wrong. Some laptop/desktop users will be using a touch screen or stylus
frequently, which means that two such sessions can be positively
correlated. That means we have allowed some fingerprinting, even if a
third session where the Touch API is not used cannot be positively linked
to the first two.
So now I am inclined to disable the Touch API altogether. Here's a new
branch with 3 patches. The first simply disables the pref. The next two
patches are the same as before (censoring the true screenX, etc.); the
latter two are included as a possible defense in depth, in case the Touch
API gets activated by the user or by us in the future, but those patches
are not absolutely necessary.
https://github.com/arthuredelstein/tor-browser/commits/10286+2
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10286#comment:25>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list