[tor-bugs] #16678 [Applications/Tor Browser]: Enhance KeyboardEvent fingerprinting protection for unusual characters

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Sep 26 05:02:13 UTC 2017 

#16678: Enhance KeyboardEvent fingerprinting protection for unusual characters
-------------------------------------------------+-------------------------
 Reporter:  arthuredelstein                      |          Owner:  sysrqb
     Type:  enhancement                          |         Status:
                                                 |  needs_revision
 Priority:  Medium                               |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tbb-fingerprinting,                  |  Actual Points:
  TorBrowserTeam201709                           |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by sysrqb):

 Okay, following up on the comment Arthur made [0], I think we can mitigate
 this by suppressing the keydown events on dead keys and track these keys
 as modifier keys. The current behavior when a dead key is pressed is an
 event is dispatched with `key="Dead"`. In Firefox, the javascript keydown
 callback's event.code reflects the key pressed (ex. BracketLeft), and
 `charCode=which=keyCode=location=0` and `altKey=ctrlKey=metaKey=false`.
 With this patch, Tor Browser sends `key="Dead"` and checks the hashmap for
 the proper code (of which there isn't a mapping, so it chooses the
 default). When the next character is pressed, Firefox and Tor Browser
 dispatch another event that contains the raw (unmodified) character that
 was pressed (ex. `key='o'`). It does not make the substitution. I believe
 we can use the functionality already available in the TextInputProcessor
 for tracking a dead key and dispatching an event with the modified
 character.

 I think in the short term, it's safe to suppress keydown events dead keys.
 As with shift/alt/altgr this only filters dead keys from javascript
 keydown callbacks, I confirmed this does not affec
 t input in chrome fields or using dead keys on interactive javascript
 websites like etherpad.

 [0] https://github.com/sysrqb/tor-
 browser/commit/52b021674c6885d30e851557b14a8d70b5702a75#commitcomment-24553008

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16678#comment:16>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list