Torbutton, CSS3 and window size

Mike Perry mikeperry at fscked.org
Fri Dec 10 03:29:25 UTC 2010


Thus spake Just A. User (just_a_user at justemail.net):

> http://what-is-my-ip-address.anonymous-proxy-servers.net
> are able to discover the browser's window inner dimensions
> accurately.
>
> The font downloading attack (@font-face based) from that test is
> also successful.

The short answer here is that new CSS3-based fingerprinting attacks
are currently not possible to fully defend against through
extension-land, and that while we do take them seriously, we don't
have a lot of options to truly protect against them in the short term.

JonDoNym is performing a bit of slight of hand on its users wrt to
these attacks. It only "protects" against these attacks by requiring
that Javascript be disabled, but this is not a full defense. The CSS3
"Media Queries" allow you to select entire stylesheets to be loaded on
the basis of screen resolution and display information:
https://developer.mozilla.org/En/CSS/Media_queries

Thus, media queries are quite capable of inducing element loads based
on screen resolution and font information, which can be used to ping a
server with information about your resolution without the need for
Javascript. The mechanisms for this are similar to the CSS-only
history attack that does not require Javascript and works on Firefox
2.x and 3.x: http://ha.ckers.org/weird/CSS-history-hack.html

The JonDoNym test is only using the Javascript versions of these
attacks, and therefore the JonDoFox profile they provide is given a
green "pass" against them, even though a dedicated adversary could
extract the same information with CSS3 alone. When I run Torbutton
with Javascript disabled, I get very similar results to the JonJoFox
profile on their test (are you sure you had javascript fully
disabled?)

But again, the reality is this is not the whole story.

We are currently actively trying to get people at the W3C and inside
Google and Mozilla to address these issues, because short of us
patching the browsers directly, there is not much we can do here. We
may end up patching our Tor Browser Bundle builds if it doesn't appear
that any of these groups are taking these new fingerprinting vectors
seriously. This places us in an interesting legal situation with
Mozilla, because technically such a patch means that we can no longer
use the trademark "Firefox" to describe the browser we provide in this
case.

Our goal for the W3C is to get them to define a common subset of
rendering behaviors that all browsers can adhere to while in "private
browsing mode". I believe the timeline for adoption of this standard
would be measured in multiple years, though.

Our goal with the browsers is to convince them to provide us with some
kind of API to interact with CSS and the rendering system. For Chrome,
their release cycle is faster and this process would be measured in
months (if we had all the other APIs we needed, see
https://blog.torproject.org/blog/google-chrome-incognito-mode-tor-and-fingerprinting).
But for Firefox, their release cycle is slower, and this time period
is probably still measuted in years.

So to sum it up, lots of rocks, and lots of hard places :/

-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20101209/bf24b747/attachment.pgp>


More information about the tor-talk mailing list