Opened 5 years ago

Closed 3 months ago

#12609 closed defect (wontfix)

HTML5 fullscreen API makes TB fingerprintable, disable it!

Reported by: cypherpunks Owned by: mikeperry
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-fingerprinting-resolution, tbb-linkability
Cc: gk, lunar, fdsfgs@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Shouldn't TB set the full-screen-api.enabled pref to false so websites can't fingerprint the screen size?

(Firefox's "exit/allow fullscreen" dialog appears after the window has become full screen.)

Child Tickets

Attachments (1)

screen-size-anti-fp.patch (741 bytes) - added by cypherpunks 5 years ago.
screen size anti-fingerprinting patch

Download all attachments as: .zip

Change History (27)

comment:1 Changed 5 years ago by gk

Cc: gk added

comment:2 Changed 5 years ago by cypherpunks

Is there a better channel for reporting these kind of bugs? Where the "other side" isn't reading along...

I feel kind of uncomfortable now about having reported it here.

comment:3 Changed 5 years ago by cypherpunks

Priority: majorcritical
Summary: HTML5 fullscreen API makes TB fingerprintable? Disable it?HTML5 fullscreen API makes TB screen size fingerprintable, disable it!

Proof of concept screen size fingerprinter: http://jsbin.com/riredehu/1 (Edit: replaced, again, with a link that hopefully doesn't expire hasn't expired yet. Note to others, registering an account with JSBin is appearently not enough, so if the link has expired, select File->Clone.

Version 2, edited 5 years ago by cypherpunks (previous) (next) (diff)

comment:4 Changed 5 years ago by cypherpunks

Summary: HTML5 fullscreen API makes TB screen size fingerprintable, disable it!HTML5 fullscreen API makes TB fingerprintable, disable it!

More bad news: It's not only the screen size that is fingerprintable here, but also very probably the OS. Because what the attacker gets is the innerHeight/innerWidth - of a full screen window!

comment:5 Changed 5 years ago by cypherpunks

Summary: HTML5 fullscreen API makes TB fingerprintable, disable it!HTML5 fullscreen API makes TB screen size fingerprintable, disable it!

It's not only way to get fingerprints today. Look at #9881
Many desktops in the world shares 640x480 (that reveals by this bug for example), but not so much browsers shares limitations for avail window size (that reveals by #9881).

Proof of concept screen size fingerprinter

Can it fingerprint automatically without click on page visit?

comment:6 Changed 5 years ago by cypherpunks

Summary: HTML5 fullscreen API makes TB screen size fingerprintable, disable it!HTML5 fullscreen API makes TB fingerprintable, disable it!

comment:7 Changed 5 years ago by cypherpunks

Because what the attacker gets is the innerHeight/innerWidth - of a full screen window!

Why do you think it's inner size? My test reports real_desktop_width x (real_desktop_height - 1px).

comment:8 in reply to:  7 Changed 5 years ago by cypherpunks

Replying to cypherpunks:

Can it fingerprint automatically without click on page visit?

User interaction (clicks, hover, keyboard, etc.) is supposed to be necessary. Not a very high bar, though.

Replying to cypherpunks:

Because what the attacker gets is the innerHeight/innerWidth - of a full screen window!

Why do you think it's inner size? My test reports real_desktop_width x (real_desktop_height - 1px).

Me too (Linux)... I assumed that's some weird GUI toolkit leftover pixel. Maybe I'm wrong and it's the same on every platform.

comment:9 in reply to:  5 Changed 5 years ago by cypherpunks

Replying to cypherpunks:

It's not only way to get fingerprints today. Look at #9881

TB should really really set dom.disable_window_move_resize = true and browser.link.open_newwindow.restriction = 0. The current situation is horrific.

Changed 5 years ago by cypherpunks

Attachment: screen-size-anti-fp.patch added

screen size anti-fingerprinting patch

comment:10 Changed 5 years ago by cypherpunks

Please let me know if screen-size-anti-fp.patch is a good approach.

Last edited 5 years ago by cypherpunks (previous) (diff)

comment:11 Changed 5 years ago by cypherpunks

Component: Firefox Patch IssuesTorBrowserButton
Status: newneeds_review

comment:12 Changed 5 years ago by lunar

Cc: lunar added

comment:13 Changed 5 years ago by gk

Priority: criticalmajor
Status: needs_reviewneeds_revision

This bug is about the fullscreen API. The other preferences the patch manipulates do not have anything to do with that.

comment:14 Changed 5 years ago by cypherpunks

The other two prefs fix #9881 (which is closely related) and are listed in ticket:9881#comment:22 for discussion. Should I split them up? But then you'd have to merge the lines manually anyway.

comment:15 Changed 5 years ago by cypherpunks

Proof of concept screen size fingerprinter

Site expired, it doesn't works properly now.

comment:16 Changed 5 years ago by cypherpunks

<html>

<head>
<title>HTML5 fullscreen API fingerprinter</title>
<script>
function fingerprint() {
  document.getElementById('x').mozRequestFullScreen();
  setTimeout(function(){ window.alert(screen.width + "x" + screen.height); }, 1000);
}
</script>
</head>

<body onclick="fingerprint()">
<h1 id="x">click anywhere and wait a second</h1>

<p>1
<p>2
<p>3

</body>
</html>

comment:17 in reply to:  16 Changed 5 years ago by cypherpunks

Hello other cypherpunks,

<p>1
<p>2
<p>3

</body>

You want to use a larger body so the user can click anywhere, hence the lorem ipsum. I've fixed the link at comment:3 thanks to rawgit.com.

Last edited 5 years ago by cypherpunks (previous) (diff)

comment:18 Changed 5 years ago by mikeperry

Personally, I would rather fix the root Firefox bug here to actually prompt before making the widget full screen. Disabling full screen for everyone is bad UX. In terms of the number of people who will complain about either property, I think more will complain if we fully remove their ability to watch full screen videos.

Just about the only thing that would convince me otherwise is if this fingerprinting could be done invisibly, without the user becoming aware of it via a full screen video suddenly playing.

comment:19 in reply to:  18 Changed 5 years ago by faether

Replying to mikeperry:

Just about the only thing that would convince me otherwise is if this fingerprinting could be done invisibly, without the user becoming aware of it via a full screen video suddenly playing.

It can. The element does not have to be a video (or even be visible), and we can exit fullscreen mode right away (without user interaction) after the screen dimensions have been extracted.

Here's a v2 proof of concept that leaves fullscreen after 500 ms. Obviously this flicker could be reduced much further (100 ms worked fine, 10 ms didn't), but I'm not familiar enough with JavaScript and FS API race conditions to try.

https://rawgit.com/anonymous/eceb468086375f942c2f/raw/36ea4683bdba6315e828026a9a97f23fba775320/fs-v2.html

It's true that the proper fix would be to open the permission dialog before entering fullscreen mode, but I hope we can use this pref as a temporary bugfix until then.

Last edited 5 years ago by faether (previous) (diff)

comment:20 Changed 5 years ago by saint

It's possible to set a video to fullscreen automatically (with javascript). I'd say to either prompt user when they try to enable full-screen that doing so reduces their anonymity slightly, or go with mikeperry's proposed solution below.

Per mikeperry's mention in #tor-dev, limiting full-screen mode to the size of the browser window still allows someone to make an educated guess at resolution. Which is still a big improvement over the default.

comment:21 Changed 5 years ago by faether

Uh oh, there's onresize events firing all over the place when you go to fullscreen. See below in the log, that number 1000x689? That's my actual browser window size, without the X11 border, +5px in height. Same strange 5px increase for the screen height, 1055.

[17:13:11.255] "1409245991255 pre-fs   1000x600"
[17:13:11.308] "1409245991287 onresize 1000x689"
[17:13:11.360] "1409245991360 onresize 1000x689"
[17:13:11.370] "1409245991370 onresize 1680x1055"
[17:13:12.256] "1409245992256 1000ms   1680x1055"
[17:13:12.257] Exited full-screen because full-screen element was removed from document. 
[17:13:12.273] "1409245992272 onresize 1680x966"
[17:13:12.317] "1409245992317 onresize 1000x600"
[17:13:13.256] "1409245993256 2000ms   1000x600"

generated using fingerprinter v3: https://rawgit.com/anonymous/f63b0650637fef3dcdf1/raw/a4199acc17e23ca301a4b71bbe916143b9b5f89b/fs-v3.html (try running it multiple times if it doesn't get your browser window size)

Last edited 5 years ago by faether (previous) (diff)

comment:22 Changed 5 years ago by faether

I thought finding out the actual window size (incl. chrome), in a addition to the screen size, seemed pretty serious. Has nobody else been able to reproduce this using the v3 fingerprinter?

comment:23 Changed 5 years ago by mikeperry

Keywords: tbb-fingerprinting-resolution added; tbb-fingerprinting removed

FWIW, I think that #12977 is the right way to deal with this issue.

comment:24 Changed 2 years ago by cypherpunks

Component: TorBrowserButtonApplications/Tor Browser
Keywords: tbb-linkability added
Severity: Normal

Trackers now send back every change of resolution, so that in conjunction with timers it can be used to defeat FPI.

comment:25 Changed 2 years ago by tokotoko

Cc: fdsfgs@… added

comment:26 Changed 3 months ago by mikeperry

Resolution: wontfix
Status: needs_revisionclosed

We should ensure the prompt works properly, not disable fullscreen.

Note: See TracTickets for help on using tickets.