Opened 6 years ago

Closed 6 years ago

#10833 closed defect (duplicate)

Screen resolution should not be identical to window size

Reported by: ben Owned by: mikeperry
Priority: Medium Milestone:
Component: Firefox Patch Issues Version:
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

TorBrowser design doc https://www.torproject.org/projects/torbrowser/design/ states re screen resolution:
"report that the desktop is only as big as the inner content window"

Indeed, when I go to <http://browserspy.dk/screen.php> with TorBrowser, I get a screen size of 1057x909.

This is an obvious way to find out Tor users, and also allows to track them even better than without this change. A screen (!) resolution of 1057x909 must really stand out and allow to track a user easily. This would stay the same across all sessions and sites and even reboots.

A window/content resolution of 1057x909 isn't very common either and problematic, but that problem exists independent of the screen resolution. This issue isn't theoretical: I heard about 5 years ago that even Google tracks users based on non-standard window resolution.

That said, a screen resolution of 1057x909 would appear only among TorBrowser users and thus be fairly unique world-wide.

Child Tickets

Change History (17)

comment:1 Changed 6 years ago by ben

Solution proposals:

  • Entirely remove patch to fake screen resolution
  • Hardcode a set of a common screen resolutions. Then, pick the smallest that can fit the current window size. (Downside: It would still lead to changing screen resolutions when the user resizes the window, which could be detected and is also unusual, but the leaking info is only that the user uses Tor, not unique.)
Last edited 6 years ago by ben (previous) (diff)

comment:2 Changed 6 years ago by gk

Okay, the height issue will be fixed with #10095 which is included in the new release coming out in the next days. The weird width is interesting. Could that be an instance of #9268?

comment:3 Changed 6 years ago by ben

Screen size and window size are identical for me.
<http://browserspy.dk/screen.php> vs. <http://browserspy.dk/window.php>.
The window size seems to be the real size; it's identical to my non-Tor browser, if I make the windows the same size.

Could that be an instance of #9268?

No.

Last edited 6 years ago by ben (previous) (diff)

comment:4 in reply to:  3 Changed 6 years ago by gk

Replying to ben:

Screen size and window size are identical for me.
<http://browserspy.dk/screen.php> vs. <http://browserspy.dk/window.php>.
The window size seems to be the real size; it's identical to my non-Tor browser, if I make the windows the same size.

Are you resizing your Tor Browser window? Both pages give me the same values which are not my non-TorBrowser screen size if I do not touch the window size in any way after start-up.

Could you set "extensions.torbutton.loglevel" to "3" and copy & paste the relevant window resizing debug messages shown into the browser console?

comment:5 Changed 6 years ago by ben

What I do is fairly simple and staight-forward:

  1. Start browser
  2. Resize window to a size that pleases me
  3. Go to <​http://browserspy.dk/screen.php> and <​http://browserspy.dk/window.php>

I do the same for Tor browser and non-Tor Firefox. The results are above.

Tor browser does precisely what the design document (quoted in the description) specifies: It makes the screen size be the window content size. Just that this idea is misguided: it causes an identity leak.

Last edited 6 years ago by ben (previous) (diff)

comment:6 Changed 6 years ago by ben

How dangerous this is can be clearly seen when you go to <https://panopticlick.eff.org> and click "Test me". You will most likely be "unique", due to the unusual screen resolution.
Test again with maximized window and watch the "one in x browsers" value for screen resolution go down dramatically.

comment:7 Changed 6 years ago by gk

Resolution: duplicate
Status: newclosed

Further down in the design doc you'll find

To further reduce resolution-based fingerprinting, we are investigating zoom/viewport-based mechanisms that might allow us to always report the same desktop resolution regardless of the actual size of the content window, and simply scale to make up the difference.

pointing to #7256 (and indirect to #7255). Marking this as a duplicate of #7256 then.

comment:8 Changed 6 years ago by ben

gk, while #7296 touches on the same issue, it's not identical.

  1. It speaks about users maximizing windows. This bug here is specifically about users not doing so.
  2. Also, the core issue here is that screen size == window size. While the design doc paragraph you cited agrees that this is bad and says "always report the same desktop resolution regardless of the actual size of the content window", bug #7256 is not about that.
  3. Lastly, the solutions proposed here are rather simple, in comparison.
Last edited 6 years ago by ben (previous) (diff)

comment:9 Changed 6 years ago by cypherpunks

Also, the core issue here is that screen size == window size.

It's not issue, it is planned by design.

Resize window to a size that pleases me

That is problem, you have only choice to find way for #7256 or nothing. Reporting false sizes without zooming content will break proper rendering and usability.

Then, pick the smallest that can fit the current window size.

4:3, 5:4, 14:9, 16:9, 16:10, for which one?

comment:10 Changed 6 years ago by ben

Cc: ben.bucksch.news@… added

There is no discussion about whether this is a bug or serious: I proved that in comment:6.

Content size is a problem, too, but a different issue.

Then, pick the smallest that can fit the current window size.

4:3, 5:4, 14:9, 16:9, 16:10, for which one?

Doesn't matter. In fact, we can simply always report 1920x1080. Unless the window is bigger, and then report some even higher screen res.

The current "fake screen res" patch is here, it seems:
https://bug418986.bugzilla.mozilla.org/attachment.cgi?id=8370333

comment:11 Changed 6 years ago by ben

Cc: ben.bucksch.news@… removed

comment:12 in reply to:  10 Changed 6 years ago by mikeperry

Replying to ben:

There is no discussion about whether this is a bug or serious: I proved that in comment:6.

I've discussed the panopticlick issue at length before. See my comments on #4810,
https://blog.torproject.org/blog/effs-panopticlick-and-torbutton, and #6119.

We make our decisions about fingerprinting based on the concept of entropy reduction *inside* the TBB userbase. It is not possible to both defend against fingerprinting *and* prevent TBB from being detected as TBB.

Content size is a problem, too, but a different issue.

Then, pick the smallest that can fit the current window size.

4:3, 5:4, 14:9, 16:9, 16:10, for which one?

Doesn't matter. In fact, we can simply always report 1920x1080. Unless the window is bigger, and then report some even higher screen res.

First, there are websites out there that will try to resize browser windows to the whole desktop resolution, or to a fraction of the desktop resolution.

Further, reporting multiple resolutions for the desktop actually introduces *more* fingerprintable entropy. In fact, people with larger than 1920x1080 displays will necessarily stand out with your suggestion.

comment:13 Changed 6 years ago by ben

It is not possible to both defend against fingerprinting *and* prevent TBB from being detected as TBB.

OK, so detection of Tor is not an issue. Understood.

We make our decisions about fingerprinting based on the concept of entropy reduction *inside* the TBB userbase.

Right. But a screen resolution of 1057x909 would likely appear only once world-wide.

First, there are websites out there that will try to resize browser windows to the whole desktop resolution

We'd need to prevent that. Even regular Firefox prevents window resize and popups (by default, and almost all websites accepted this limitation). So, I don't think that's an issue. If we would allow that, that would definitely allow tracking: Just resize the window to a unique size, and then later or on another site or session query it. Even if you change the size for new windows, it would allow to match different sessions within the same window.

Further, ... people with larger than 1920x1080 displays will necessarily stand out with your suggestion.

No more than they currently do.

My suggestion can reduce entropy dramatically (from 20+ bits=unique to 2 bits: 2 resolutions within TBB only). Is there a case where it increases entropy compared to now in TBB?

Last edited 6 years ago by ben (previous) (diff)

comment:14 Changed 6 years ago by ben

No more than they currently do.

actual screen size | window size | screen size cur | screen size proposed
   1920x1200       |  1057x909   |   1057x909      |   1920x1080
   1920x1200       |  1057x1100  |   1057x1100     |   2880x1800
   1280x720        |  1270x685   |   1270x685      |   1920x1080
   1280x720        |  1000x600   |   1000x600      |   1920x1080
   1280x720        |   800x400   |    800x400      |   1920x1080
  1. There will only be 2 resolutions within TBB: 1920x1080 and a very high one. This reduces entropy to exactly 1 bit (2 values) within TBB.
  2. The screen size can change for an individual user, which is strange, but it's currently the case with the current fix as well.
  3. We can't allow window resizes requested by the website and window size queries anyway, because they allow tagging/matching sessions within the same window.
Last edited 6 years ago by ben (previous) (diff)

comment:15 Changed 6 years ago by ben

See my comments on #4810

OK, that was most interesting and relevant. It turns out that erikd created pretty much exactly the patch that I am proposing here (solution 2 in comment:1 here vs. his patch there).

And you confirmed there that this is a good solution, in comment:3:ticket:4810:

However, there may be a solution where we ... just assign a fixed mapping from each of these window sizes to a fake desktop size that is larger (but ideally within a sane bound of the current desktop).

This is exactly what I am suggesting.

comment:16 Changed 6 years ago by ben

Resolution: duplicate
Status: closedreopened

comment:17 Changed 6 years ago by ben

Resolution: duplicate
Status: reopenedclosed

DUP of #4810

Note: See TracTickets for help on using tickets.