[tor-bugs] #13021 [Tor Browser]: Review Canvas APIs for fingerprintability
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Sep 18 20:29:25 UTC 2014
#13021: Review Canvas APIs for fingerprintability
-------------------------+-------------------------------------------------
Reporter: | Owner: brade
mikeperry | Status: assigned
Type: task | Milestone:
Priority: major | Version:
Component: Tor | Keywords: ff31-esr, tbb-fingerprinting,
Browser | TorBrowserTeam201409
Resolution: | Parent ID:
Actual Points: |
Points: |
-------------------------+-------------------------------------------------
Comment (by mcs):
Replying to [comment:6 gacar]:
> Wow, that's a good catch! I think this should certainly be blocked.
Using the measureTextFP.html page that I just attached, the results we
generated are interesting. It seems like the approach used to fix #2872
should apply to canvas measureText() as well. And adjusting the
browser.display.max_font_attempts and browser.display.max_font_count prefs
does significantly reduce the number of unique measureText() values a web
page can generate.
Here are the results that we got:
||= Browser =||= Default / max_font prefs set to 10 =||= max_font prefs
set to -1 =||
||=Mac OS – Firefox 24.0 =|| 17 unique widths || n/a ||
||=Mac OS – Tor Browser 3.6.5 =|| 10 unique widths || 17 unique widths
||
||=Win7 – Firefox 24.0 =|| 11 unique widths || n/a ||
||=Win7 – Tor Browser 3.6.5 =|| 6 unique widths || 11 unique widths ||
||=Ubuntu 12.04 – Firefox 24.0 =|| 5 unique widths || n/a ||
||=Ubuntu 12.04 – Tor Browser 3.6.5 =|| 4 unique widths || 5 unique
widths ||
I guess the fonts we used in measureTextFP.html are somewhat "optimized"
for Mac OS (we copied most of them from http://www.lalit.org/lab
/javascript-css-font-detect/). But
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13021#comment:9>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list