Opened 3 years ago

Last modified 12 months ago

#13400 needs_information defect

Canvas Fingerprinting: fonts

Reported by: cypherpunks Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-testcase, tbb-fingerprinting-fonts
Cc: mcs, brade, mikeperry, arthuredelstein Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by arthuredelstein)

As I know, TBB blocks ctx.getImageData. But I think it is not enough.
Look at this.
https://web.archive.org/web/20141016035848/https://gist.github.com/KOLANICH/00b9145743d841cff4d7
I tried this, the fingerprint survives restart of TBB.
I don't know, wheither this fingerprint can be used to identify user's OS (at least it can be used to identify fonts) and hardware, but it is differen than the one generated with the browser in the OS.

Child Tickets

Change History (19)

comment:1 Changed 3 years ago by dcf

Thanks for making a demo. I think the measureText method was already noticed and fixed in #13021. There is a similar demo at attachment:measureTextFP.html:ticket:13021.

comment:2 Changed 3 years ago by dcf

Also see #13313, which should reduce fingerprintability of fonts in general. There is a test bundle in comment:1:ticket:13313 (but only for GNU/Linux so far); you could see if you get a consistent fingerprint with it on different hosts.

comment:3 Changed 3 years ago by gk

Cc: mcs brade mikeperry added
Version: Tor: 0.2.4.24

Seems still to be an issue in ESR 31 based Tor Browsers. mcs, brade do we have forgotten something here?

comment:4 Changed 3 years ago by mcs

There are several things going on here. The fingerprinter.html page uses page reload / iteration and a cookie to defeat TBB's max_font preferences. It also uses canvas measureText() to generate its fingerprints, which has the advantage that it returns a floating point value for width. This may be better than using something like offsetWidth of a <span> (which as far as we can tell only provides integer width values), but we were able to get similar fingerprinting results without a canvas.

We could change canvas measureText() to return a rounded number or disable it entirely, but it may not be worth it. A real solution will require fixing #13313 or another approach.

comment:5 in reply to:  4 ; Changed 3 years ago by gacar

Replying to mcs:
...

We could change canvas measureText() to return a rounded number or disable it entirely, but it may not be worth it. A real solution will require fixing #13313 or another approach.

Wouldn't it make sense to put the measureText() behind the canvas dialog until we get the bundled fonts ready? I thought this was the idea in #13021 and I assume #13313 may take some time, though, dcf may have a better estimate.

comment:6 in reply to:  5 Changed 3 years ago by mcs

Replying to gacar:

Wouldn't it make sense to put the measureText() behind the canvas dialog until we get the bundled fonts ready? I thought this was the idea in #13021 and I assume #13313 may take some time, though, dcf may have a better estimate.

The reason I am not convinced that it is worthwhile to put measureText() behind the canvas prompt is that Kathy Brade and I were able to get similar fingerprinting results without using canvas at all (by getting the width of DOM elements like <span> that contain text). We would be blocking one fingerprinting vector while leaving an (arguably) even easier one open.

comment:7 Changed 3 years ago by cypherpunks

Keywords: tbb-fingerprinting added

http://fiddle.jshell.net/fyw4qmdg/5/show/ (editable version is http://jsfiddle.net/fyw4qmdg/5/) is a fiddle of that PoC (published by KOLANICH at http://geektimes.ru/post/244484/)

Last edited 3 years ago by cypherpunks (previous) (diff)

comment:8 Changed 3 years ago by cypherpunks

See also #14310

comment:9 Changed 3 years ago by mikeperry

Keywords: tbb-testcase added; tbb-fingerprinting removed

This is something that will make for a useful testcase for TBB, but it is not a new fingerprinting vector in and of itself. As for solutions, I think my favorite is #13313.

comment:12 Changed 2 years ago by dcf

Status: newneeds_information

Could you test your canvas technique against 5.5a1? https://blog.torproject.org/blog/tor-browser-55a1-released. It uses standardized fonts that should defend against this fingerprinting vector.

comment:13 Changed 2 years ago by arthuredelstein

Severity: Normal

It's possible that measureText can detect differences between different rendering engines, rendering the same text with the same font, even if fonts are bundled/whitelisted. So I think it might still be beneficial to round the result of measureText.

comment:14 Changed 2 years ago by arthuredelstein

Cc: arthuredelstein added

comment:15 Changed 2 years ago by gacar

There's at least one vendor who uses measureText for font probing/fingerprinting.
http://mathid.mathtag.com/device/id.js

So it'd be great to round its result, or ask for permission.

comment:16 Changed 2 years ago by gk

Keywords: tbb-fingerprinting-fonts added

comment:17 Changed 2 years ago by cypherpunks

Hi cypherpunks

My nickname is KOLANICH, the account is not mine, but the shared one. Please, use the issues of the repo (https://github.com/KOLANICH/Article-2015-Dull-captaincy-or-the-way-Tor-Project-fights-browser-fingerprinting/issues), because I dont visit this bug tracker often. Also, you can test yourselves, just clone (or download) the repo and open fingerprinter.html. PRs are also welcome.

your technique

The technique is not mine, I've only found a flaw in the defence and modified the technique from the paper [MS12].

can you try your technique against the bundles 4.0
against 5.5a1? ​https://blog.torproject.org/blog/tor-browser-55a1-released. It uses standardized fonts that should defend against this fingerprinting vector.

Tested aganst 5.5a1.

Doesn't defend.

https://github.com/KOLANICH/Article-2015-Dull-captaincy-or-the-way-Tor-Project-fights-browser-fingerprinting/blob/master/results/KOLANICH/TBB%2C%20TAILS%2C%20Whonix/TBB%205.5a4%20%40%20Win%20XP.json

https://github.com/KOLANICH/Article-2015-Dull-captaincy-or-the-way-Tor-Project-fights-browser-fingerprinting/blob/master/results/KOLANICH/TBB%2C%20TAILS%2C%20Whonix/TBB%205.5a4%20%40%20Win%208.1.json

https://github.com/KOLANICH/Article-2015-Dull-captaincy-or-the-way-Tor-Project-fights-browser-fingerprinting/blob/master/results/KOLANICH/TBB%2C%20TAILS%2C%20Whonix/TBB%205.5a4%20%40%20TAILS.json

Last edited 2 years ago by cypherpunks (previous) (diff)

comment:19 Changed 12 months ago by arthuredelstein

Description: modified (diff)
Note: See TracTickets for help on using tickets.