[tor-talk] Tor browser can be fingerprinted

[Mike Perry]

Georg Koppen:
> On 12.09.2013 14:56, harmony wrote:
> > Is the window size that Tor Browser uses when you first open it to be
> > taken therefore as some kind of default, not to be changed, or can you
> > resize the window as much as you like, as long as you don't maximize it?
> 
> Well, of course, you can resize the window as much as you like. But then
> you probably loose the benefit of having the same browser window size as
> many other users.

An important detail that hasn't been mentioned explicitly in this thread
is that the inner render window size is the *only* information we report
(unlike the other major browsers, who also report desktop size, taskbar
size, and window and toolbar decoration size information).

The way this is accomplished is that TBB reports the inner render window
size as your entire desktop, and it reports the outer window size as the
same size as this render window (effectively this means that the
window decorations and toolbars are all 0-sized).


So this means that if you resize your browser, you also get a totally
different display fingerprint. However, if you resize it to something
weird, and continue to use that weird size for a while, all of that
activity is highly linkable to advertisers until you resize again.

Also it is worth mentioning that disabling Javascript does not protect
against this type of fingerprinting, as it is available to CSS too:
https://developer.mozilla.org/en-US/docs/Web/Guide/CSS/Media_queries

To learn about more fingerprinting issues in TBB that could use some
help:
https://trac.torproject.org/projects/tor/query?keywords=~tbb-fingerprinting&status=!closed


-- 
Mike Perry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20130913/179cacaf/attachment.sig>