[tor-bugs] #29745 [Applications/Tor Browser]: Exposed chrome:// resources allow browser version and OS detection [Bug 1534581]
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sun Jun 9 00:41:01 UTC 2019
#29745: Exposed chrome:// resources allow browser version and OS detection [Bug
1534581]
--------------------------------------+--------------------------
Reporter: flngerprlnt | Owner: tbb-team
Type: defect | Status: new
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-fingerprinting | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+--------------------------
Comment (by Thorin):
From upstream, that this can also leak the app language: see [1]. Leaking
browser version is not an issue, all TB users should be on the same ESR
cycle - and you can't defeat feature detection anyway. Detecting OS is
trivial as well (for now)
Suggest changing the title, and keyword => `tbb-fingerprinting-locale` .
As it happens, I checked the contents of `chrome://global/locale/intl.css`
in all 30 language packs, and I've lost my notes on them: about 6 or 7
have extra css rules which could be used: namely that French one, LTR
languages, and from memory, a couple of non-Latin languages such as
Japanese. Of course, there may be other `chrome://` files that leak more
entropy.
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1534581#c21
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29745#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list