[tor-bugs] #16678 [Applications/Tor Browser]: Enhance KeyboardEvent fingerprinting protection for unusual characters
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Sep 25 21:10:48 UTC 2017
#16678: Enhance KeyboardEvent fingerprinting protection for unusual characters
-------------------------------------------------+-------------------------
Reporter: arthuredelstein | Owner: sysrqb
Type: enhancement | Status:
| needs_revision
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-fingerprinting, | Actual Points:
TorBrowserTeam201709 |
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Changes (by arthuredelstein):
* keywords: tbb-fingerprinting, TorBrowserTeam201709R => tbb-
fingerprinting, TorBrowserTeam201709
* status: needs_review => needs_revision
Comment:
Replying to [comment:10 sysrqb]:
> I surveyed the different layouts shown on the QWERTY [0], QWERTZ [1],
and AZERTY [2] pages on Wikipedia, and I documented (roughly) the
different keys (attached). From this, the patch [3] contains 131 unicode
characters, covering most Latin charset-based keyboard layouts.
Thank you for the patch. I think this is a significant enhancement to our
previous patch. I wrote some comments and suggested revisions on the
github commit at
https://github.com/sysrqb/tor-
browser/commit/52b021674c6885d30e851557b14a8d70b5702a75#diff-
8e201eb85e7d7abe2bb6b78e12c5081aR411
Additionally (though not necessarily for the deadline) I would suggest
adding a comment for each key mentioning which keyboard layout each key
came from. (All previous keys came from the US keyboard.) Once the
annotations are added, it would be prudent to have another review to
carefully check each of the mappings to make sure they are correct.
Could you also comment here for the record on AltGr vs Alt vs AltLeft? Is
AltGr they expected modifier in KeyboardEvents from most modern keyboards?
It doesn't seem to appear on my Mac, if I recall correctly.
> The patch falls back on code "IntlBackslash" and keycode 220, when a
mapping does not exist for a key. Something unfortunate/annoying I found
while working on this is that unicode provides more than one code for the
same glyph (such as U+0110 (capital letter D with stroke) and U+00D0
(capital letter eth) for Ð), so I am worried some keyboard
drivers/platforms use different codes for characters that are visually the
same, thus this patch may result in slightly strange behavior.
I guess we can't do anything about that confusion, correct? Do you think
it would somewhat to block the key codes or match them for those
doppelganger characters?
> The key-to-code mappings were decided by taking the results of the
survey and choosing the most common keyboard key per character/symbol.
There were many symbols that were in a unique location on different
layouts, so I chose a key that seemed reasonable.
>
> {{{
> $ sort -t, -k 3 unicode_keyboard_keys | sed 's/, /,/g' | awk -F, '{
print $3", "$2", "$5; }' | sort | uniq -c | less
> }}}
That's an interesting shell one-liner. Could you post the instructions on
what it does and how to reproduce it for future work? :)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16678#comment:13>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list