[tor-bugs] #16678 [Applications/Tor Browser]: Enhance KeyboardEvent fingerprinting protection for unusual characters

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Sep 25 21:10:48 UTC 2017

#16678: Enhance KeyboardEvent fingerprinting protection for unusual characters
 Reporter:  arthuredelstein                      |          Owner:  sysrqb
     Type:  enhancement                          |         Status:
                                                 |  needs_revision
 Priority:  Medium                               |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tbb-fingerprinting,                  |  Actual Points:
  TorBrowserTeam201709                           |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
Changes (by arthuredelstein):

 * keywords:  tbb-fingerprinting, TorBrowserTeam201709R => tbb-
     fingerprinting, TorBrowserTeam201709
 * status:  needs_review => needs_revision


 Replying to [comment:10 sysrqb]:
 > I surveyed the different layouts shown on the QWERTY [0], QWERTZ [1],
 and AZERTY [2] pages on Wikipedia, and I documented (roughly) the
 different keys (attached). From this, the patch [3] contains 131 unicode
 characters, covering most Latin charset-based keyboard layouts.

 Thank you for the patch. I think this is a significant enhancement to our
 previous patch. I wrote some comments and suggested revisions on the
 github commit at

 Additionally (though not necessarily for the deadline) I would suggest
 adding a comment for each key mentioning which keyboard layout each key
 came from. (All previous keys came from the US keyboard.) Once the
 annotations are added, it would be prudent to have another review to
 carefully check each of the mappings to make sure they are correct.

 Could you also comment here for the record on AltGr vs Alt vs AltLeft? Is
 AltGr they expected modifier in KeyboardEvents from most modern keyboards?
 It doesn't seem to appear on my Mac, if I recall correctly.

 > The patch falls back on code "IntlBackslash" and keycode 220, when a
 mapping does not exist for a key. Something unfortunate/annoying I found
 while working on this is that unicode provides more than one code for the
 same glyph (such as U+0110 (capital letter D with stroke) and U+00D0
 (capital letter eth) for Ð), so I am worried some keyboard
 drivers/platforms use different codes for characters that are visually the
 same, thus this patch may result in slightly strange behavior.

 I guess we can't do anything about that confusion, correct? Do you think
 it would somewhat to block the key codes or match them for those
 doppelganger characters?

 > The key-to-code mappings were decided by taking the results of the
 survey and choosing the most common keyboard key per character/symbol.
 There were many symbols that were in a unique location on different
 layouts, so I chose a key that seemed reasonable.
 > {{{
 > $ sort -t, -k 3 unicode_keyboard_keys | sed 's/, /,/g' | awk -F, '{
 print $3", "$2", "$5; }' | sort | uniq -c | less
 > }}}

 That's an interesting shell one-liner. Could you post the instructions on
 what it does and how to reproduce it for future work? :)

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16678#comment:13>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list