[tor-bugs] #31512 [Applications/Tor Browser]: Fingerprinting of Tor Browser

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Aug 27 07:17:43 UTC 2019 

#31512: Fingerprinting of Tor Browser
--------------------------------------+--------------------------
 Reporter:  thelamper                 |          Owner:  tbb-team
     Type:  enhancement               |         Status:  closed
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Major                     |     Resolution:  invalid
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------

Comment (by Thorin):

 Replying to [comment:4 tom]:
 > https://tor.triop.se/ identifies the version of Tor Browser used (and
 sometimes OS). It doesn't identify users uniquely. If anything, it
 confirms that we're doing a pretty good job that someone smart poked at
 this and this was the best they could do.

 https://github.com/jonaslejon/tor-fingerprint/blob/master/tor-
 fingerprint.js : I've looked at this code in the past, several times

 On both Windows 7 and Linux Mint, it does not detect (for me) Tor Browser
 (8.5.4), or the version, or even the major OS.

 The fingerprint does change though, so there is entropy in that: I'll re-
 look at it if you want.
 - my Linux Mint (VM): Fingerprint: `-1609407044`, `-950496277`
 - my Win7 (bare metal): Fingerprint: `427398366`, `278677235`

 ---

 Detecting Tor Browser: that's actually already trivial: but all TB's are
 the same in this metric. It's actually already trivial and 100% reliable
 to detect this via other methods.

 Detecting version: Tor Browsers should be up-to-date and should all report
 the same on this metric (major version e.g 8 or 9: or if based on ESR60 or
 68 etc). It's actually already trivial and 100% reliable to detect this
 via other methods.

 Detecting OS: It's actually already trivial and 100% reliable to detect
 this via other methods. And right now, the JS navigator will actually tell
 you (for now: that may change: why give away free entropy when we don't
 have to). It's almost impossible to hide your major OS.

 The only other thing of interest here might be detecting Tails. Or if
 you're using a VM (which I have a PoC for: but won't be sharing in here)

 --

 I'll have a look at the other one later

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31512#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list