[tor-talk] Tor browser can be fingerprinted
Marthin Miller
torproblem at aol.com
Wed Sep 11 16:50:41 UTC 2013
Hi. The main problem for what you made public as Tor software is that it uses 1024bit RSA keys which can be cracked in a few hours and compromise Tor path. but Tor browser have another big problem also which compromise user's anonymity (fixing it is very simple). i checked out http://browserspy.dk/screen.php from different machines running Tor. problem is screen resolution is kind of unique! when Tor starts, browser window popup automatically which is not full screen (even this window have unique screen size value sometimes) but when user maximize the browser window it get worse as many users have different type of monitors or custom screen resolutions... screen size value even change by show/hide bookmark-toolbar/addone-bar...
Practical example:
virtual machines have very custom resolution values as they are normal windows in workplace and users may resize them for their interests. lets say its 2071x943, user visit gmail which his identity is attached to that somehow. a bit later he visit another website that contain Google analytic, they can guess who is this anonymous person just by screen size value as nobody else visited this page today with this information.
Also if you let users choose how much security they want that's better (for example choose high padding and time delay on relays if security have more priority than speed)
More information about the tor-talk
mailing list