[tor-bugs] #32311 [Applications/Tor Browser]: Letterboxing makes me more unique

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun Oct 27 09:13:16 UTC 2019 

#32311: Letterboxing makes me more unique
--------------------------------------+--------------------------
 Reporter:  yodoall                   |          Owner:  tbb-team
     Type:  defect                    |         Status:  closed
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:  invalid
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------
Changes (by Thorin):

 * keywords:  letterboxing =>
 * status:  new => closed
 * resolution:   => invalid


Comment:

 You can't compare Firefox users to Tor Browser users. Firefox by default
 does not spoof screen metrics, and therefore some common sizes, are, well
 .. common.

 Tor Browser spoofs screen metrics **to the inner window**: and new windows
 in TB are meant to be rounded 100's (letterboxing fixes a lot of the
 quirks of this). Letterboxing also means resizing your browser returns
 less possible combinations

 Default TB is **not** `1400x700` .. it is `1000x1000` (but scales down in
 100's in height if not enough real estate is available. This is excluding
 the issues with DPI, bookmarks toolbar etc that letterboxing actually
 fixes.

 Pantopticlick and other all-in-one fingerprinting tests do **not** provide
 meaningful entropy. They are not real world, they are tainted by the
 nature of those who visit, by repeat visits from said visitors who
 constantly tweak and poison the datasets, the datasets are small, the
 tests are flawed (sometimes), the tests are limited, and the dataset
 timespans can cause bias as well.

 Math in lowering entropy is all that matters here. Letterboxing absolutely
 provides better protection and less entropy.

 If you really hate it, and your threat model does not need it, you can
 disable it (**for now**) by flipping
 `privacy.resistFingerprinting.letterboxing`, but we do not recommend this.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/32311#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list