[tbb-bugs] #32861 [Applications/Tor Browser]: "Fingerprint.js PRO" successfully fingerprints Tor Browser
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Dec 31 05:31:18 UTC 2019
#32861: "Fingerprint.js PRO" successfully fingerprints Tor Browser
--------------------------------------+--------------------------
Reporter: printerman22 | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-fingerprinting | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+--------------------------
Changes (by Thorin):
* keywords: fingperint, fingerpriting => tbb-fingerprinting
* cc: tom (added)
Comment:
it's linking "previous" visits by the id hash it generates
so how does it compute the id hash?
- `view-source:https://fingerprintjs.com/dist/demo.js`
- `https://unminify.com/` - unminify it = 31K+ lines
This looks like some sort of JS attack template (don't let the word
"attack" alarm you): in other words it's checking everything it possibly
can including the kitchen sink. The code is using very short variables,
but it's easy enough to spot "normal/established" fingerprinting like
screen measurements, font lists, canvas, glyphs, etc. And if each TB
stable release per OS is not tinkered with, then the rest (the JS attack
part) should be the same for everybody in that group (there will most
likely be entropy between major OS versions, and probably between Linux
distros).
Here's some basic tests/proofs:
- change your reported inner window size: id changes
- **remember to reset this**: flip `dom.webaudio.enabled`: id changes
- ^^ ditto for flipping for all sorts of APIs on/off
TB users are advised to stay at default window size, and not to mess with
settings. And here's the thing: it told me on my first visit that I've
visited before, but I haven't (AFAICRemember, certainly not in the last 12
hours, or 3 days, and not with these TB builds). It did this to me twice:
once on stable, once on alpha: both had different ids due to a different
window size. In other words: yes there is entropy across stable TB
versions (OS limitations such as available screen height -> inner window,
OS fonts, OS widgets measurements and font, and so on), but there are
still numbers of users per configuration (but... see `note` below)
It's so easy / trivial to get the id to change (which is why a JS attack
template is not a good real world application for security checks, IMO),
but the fact my TB's id by default (for me on Windows = probably popular:
not so much you on Mac OS Catalina) tells me I had already visited (when I
hadn't) tells me that TB's anti-fingerprinting is working to some degree.
`note`: that said, we already know other areas that need work (see `tbb-
fingerprinting` bugs), and I/we have PoCs for them (such as clientRect:
e.g the domrect test at TZP combines this with your default font and
widget).
Howver, this is a bit of a nightmare script to output and debug. Maybe tom
or gk or someone else can "debug" it a little? But AFAIConcerned, this is
wasted time and I have other yaks to shave :)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/32861#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list