[tor-talk] Tor browser can be fingerprinted

Alexandre Guillioud guillioud.alexandre at gmail.com
Mon Sep 16 09:45:38 UTC 2013 

"Also it is worth mentioning that disabling Javascript does not protect
against this type of fingerprinting, as it is available to CSS too:
https://developer.mozilla.org/en-US/docs/Web/Guide/CSS/Media_queries"

It could be available to css, but without javascript, it can't be sended !


2013/9/13 Mike Perry <mikeperry at torproject.org>

> harmony:
> > Mike Perry:
> > >
> > > So this means that if you resize your browser, you also get a
> > > totally different display fingerprint. However, if you resize it to
> > > something weird, and continue to use that weird size for a while,
> > > all of that activity is highly linkable to advertisers until you
> > > resize again.
> > >
> >
> > Equally, 'if you maximize your browser (or your browser maximizes
> > itself automatically, as Tor Browser does when I click 'New Identity),
> > and your screen is some weird size, all of your activity is highly
> > linkable to advertisers until you get a new screen'?
>
> Your Tor Browser should *not* be maximizing itself during New Identity.
> It should be setting its content window to a 200x100 multiple.
>
> I've never seen one maximize for that step. Does that always happen for
> you? Sounds like a bug caused by something about your setup. Does it
> happen with a fresh bundle in a new directory? Do you mind sharing your
> monitor resolution?
>
> > Also, 'if you want to do something unlinkable, pick a weird screen
> > size and then change it after you finish doing it?'
>
> Maybe. It depends on if you resizing the window is actually as "random"
> as you think it is. If you keep doing that, and you're one of the few
> people who does, you might stand out over time?  On the other hand, it
> seems like a tricky algorithm for an advertiser-class adversary to
> write, and for little economic gain since it is rare behavior.
>
> However, if your adversary includes people with access to raw
> advertising logs, that may be a different matter. My guess is
> capital-t-They wouldn't bother with that vector though. Too expensive
> for too little information.
>
> So on balance, I think it's probably a decent thing to do for that odd
> website account you don't want linked to anything else?
>
> > I get that this is difficult to avoid. Just trying to clarify.
>
> Yep.
>
> --
> Mike Perry
>
> --
> tor-talk mailing list - tor-talk at lists.torproject.org
> To unsusbscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
>

More information about the tor-talk mailing list