[tor-talk] Tor Browser window size

Joe Btfsplk joebtfsplk at gmx.com
Fri Jul 25 15:05:48 UTC 2014 

On 7/25/2014 1:57 AM, Georg Koppen wrote:
> Joe Btfsplk:
>> On 7/24/2014 3:58 AM, Georg Koppen wrote:
>>> Joe Btfsplk:
>>>> Should TBB always start in partial window size?
>>> It depends on your available screen size. But in almost all cases, yes,
>>> TBB should always start in partial window size at least until we find a
>>> good way to deal with maximized browser windows (see e.g.:
>>> https://bugs.torproject.org/7256).
>> Thanks Georg,
>> Clearly I've forgotten or never knew why (partial) TBB window sizes can
>> be spoofed, but standard multiples for maximized TBB windows *can't* be
>> spoofed, instead.
>>
>> ? Don't a "majority" of users maximize something like browsers, for
>> general use?  I've never seen it mentioned that most users leave TBB in
>> partial screen.
>> I wouldn't think TBB (window size) would be used differently than
>> regular browsers (a result of human habit).
>>
>> I rarely see people using browsers in partial size, unless doing some
>> between app operation / comparison.  I'm talking about what the masses do.
>>>> Vanilla Firefox starts in maximized mode, if that was the state when
>>>> closed (I think).
>>>> TBB always starts in partial screen mode, even if last closed while in
>>>> full screen.  Many apps remember the last screen size.
>>>> Is there an anonymity reason to have TBB  start in partial screen?
>>> Not per se, but see https://bugs.torproject.org/7256 for the issue that
>>> still needs to get solved first.
>>>
>> I don't understand your last statement in relation to the bug you linked:
> It meant that there is no inherent anonymity reason to start TBB in
> partial screen mode. The reason we do that now is that it is the only
> way we currently can sort of guarantee that the window dimensions
> reported back to a website are properly rounded. Bug 7256 tracks one
> idea that would cover maximized windows as well.
>
> Georg
>
Thanks.  Again, Mike Perry commented in #7256,
"/...this potentially leaks information for users who maximize their 
browser windows.../"
Which raises the question, what % of users DON'T maximize (most) 
browsers they use, a good part of the time?
This all seems to ignore how a large % of users actually use a browser.

But, Mike says maximizing browser window potentially leaks info (as if ? 
most users don't maximize?); you say, "not per se."

I read # 7256 several times & other related bugs.  Many have reported in 
several bugs, their TBB testing results under various scenarios at 
different browser testing sites.

Using TBB maximized - significantly - increases fingerprinting entropy 
for screen and / or window size, for me & others reporting on it.

Enabling JS for the current page's domain - only - increases total bits 
of identifying info (bits ii) for TBB way, *way over* the threshold of 
33 bits ii, that EFF.org says is needed to accurately identify a user 
(their browser, device) at different websites.

Yet, unless only visiting sites like blogs, most sites now perform 
poorly w/o JS enabled in NoScript, at least for their own domain (no 3rd 
party).
So, you can turn off JS & be much more anonymous, but not be able to use 
a huge part of sites.  Or judiciously turn JS on & be identifiable.  
Does that about sum it up?

More information about the tor-talk mailing list