[tor-bugs] #32875 [Applications/Tor Browser]: alpha vs stable branding entropy

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat Jan 4 22:17:19 UTC 2020 

#32875: alpha vs stable branding entropy
------------------------------------------+--------------------------------
     Reporter:  Thorin                    |      Owner:  tbb-team
         Type:  defect                    |     Status:  new
     Priority:  Low                       |  Milestone:
    Component:  Applications/Tor Browser  |    Version:
     Severity:  Normal                    |   Keywords:  tbb-fingerprinting
Actual Points:                            |  Parent ID:
       Points:                            |   Reviewer:
      Sponsor:                            |
------------------------------------------+--------------------------------
 Since 8.5a7 (Jan 30th 2019) and 9.0a1+ (Mar 21 2019), TB alpha builds got
 a different `chrome://branding/content/about-wordmark.svg` - one that says
 "nightly"

 This file can be read and measured: easily distinguishing alpha from
 stable users

 Note: there will always be **easy** entropy between major ESR versions
 (such as feature detection changes e.g. between ESR60 vs ESR68).

 This is about the (much longer?) periods where alpha and stable are on the
 same ESR base - like right now. While there will possibly be *some*
 changes between these, FP'ers would have to work hard and keep up to date:
 and not all would necessarily be FP'able. Whereas this method (measuring a
 `contentaccessible` resource) means no upkeep and 100% reliable.

 Whether or not TB stays on ESR cycles or moves to 4-weekly cycles has an
 impact.

 For TB alpha users (I assume a small percentage and thus the entropy would
 be very high), it would be nice to lock this off.

 I'm not even sure where this is used, if at all: I don't see it displayed
 anywhere (it's not in about:tor or Help>About Tor Browser). I'm sure there
 was a reason it was changed, I just don't know that reason. Would limiting
 this particular branding to system principal content work?

 **PoC**
 You can see it in action at
 https://ghacksuserjs.github.io/TorZillaPrint/TorZillaPrint.html#useragent

 The svg is displayed under `[css] branding` and the js determination and
 measurements are under `[resource://] browser`

 I'll post a pic and leave it up to you guys

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/32875>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list