[tor-bugs] #26607 [Applications/Tor Browser]: verify that subpixel accuracy of window scroll properties does not add fingerprinting risk

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Apr 16 23:37:38 UTC 2019


#26607: verify that subpixel accuracy of window scroll properties does not add
fingerprinting risk
-------------------------------------------------+-------------------------
 Reporter:  mcs                                  |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:  new
 Priority:  High                                 |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tbb-fingerprinting, ff60-esr,        |  Actual Points:
  TorBrowserTeam201904                           |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by Thorin):

 Replying to [comment:18 acat]:
 > This is leaking the actual `window.devicePixelRatio` (always set to 1
 with resistfingerprinting)

 Nice PoC! Added `window.devicePixelRatio` (DRP) output to my test to make
 things easy, and some tests

 my Android: RFP=true
 [1] subpixel: `.5`,  dpr: `1`
 [2] window=`1` guessed=`2`

 my Android: RFP=false (I restarted the device)
 [1] subpixel: `.5`, dpr: `2`
 [2] window=`2` guessed=`2`

 So you're extrapolating the DPR based on scroll because scroll (among
 others) uses DPR in it's calculations, and DPR spoofing doesn't allow for
 that?

 Original DPR spoof upstream ticket from Arthur:
 https://bugzilla.mozilla.org/show_bug.cgi?id=418986#c50

 [1] https://thorin-oakenpants.github.io/testing/
 [2] https://acatarineu.github.io/fp/devicePixelRatio.html

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26607#comment:19>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list