[tor-bugs] #17207 [Tor Browser]: Testing navigator.mimeTypes for known names can reveal info and increase fingerprinting risk

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Oct 30 21:45:38 UTC 2015 

#17207: Testing navigator.mimeTypes for known names can reveal info and increase
fingerprinting risk
-------------------------------------------------+-------------------------
 Reporter:  TemporaryNick                        |          Owner:
     Type:  defect                               |  arthuredelstein
 Priority:  High                                 |         Status:  closed
Component:  Tor Browser                          |      Milestone:
 Severity:  Major                                |        Version:
 Keywords:  tbb-fingerprinting,                  |     Resolution:  fixed
  TorBrowserTeam201510R                          |  Actual Points:
Parent ID:                                       |         Points:
  Sponsor:                                       |
-------------------------------------------------+-------------------------

Comment (by arthuredelstein):

 Replying to [comment:18 gk]:
 > This looks okay to me and I merged cherry-picked the commits onto tor-
 browser-38.3.0esr-5.5-2. One question: Is there any reason why you did not
 add ` ||ResistFingerprinting()` to any `!AllowPlugins()`? I guess only
 those where you added them are fingerprinting relevant? I wonder if that
 is going to lead into some confusion though: there may be things doable
 with plugins if you have fingerprinting defenses enabled (and are allowing
 plugins) and other things only if you have them disabled. Or are there no
 such things? I know there are a bunch of users that (need to?) enable
 Flash but maybe we just don't care about them too much here.

 I only added ` ||ResistFingerprinting()` to places where information is
 exposed through the content web APIs. I believe the other functions are
 only called by Chrome code, so ResistFingerprinting() would always return
 false.

 I think the scope of this ticket is not to disable plugins, but merely to
 prevent their detection through navigator.plugins. It is in principle
 still possible to detect plugins by including several of them in a page --
 but if we enforce click-to-play, then this is not really a practical
 attack, I think.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17207#comment:20>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list