Opened 5 years ago

Closed 5 years ago

#13858 closed defect (duplicate)

Resolution fingerprinting possible with Tor Browser Bundle

Reported by: sleurn Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

There seems to be a major problem in terms of screen size (resolution) fingerprinting possibility - checked on https://panopticlick.eff.org:

E.g., plain Firefox 33.1.1 on WinXP SP3 Home 32 bit is shown as 1024x600x24, independently of whether the menu bar is shown or not.

On the other hand, torbrowser-install-4.0.1_en-US.exe on the same machine causes following instead:

  • With menu bar shown (default): 1024x476x24 ("one in 1183729.75 browsers have this value")
  • With menu bar disabled: 1024x499x24 ("one in 175367.48 browsers have this value")

As far as I remember, pre-4.0 versions of TBB had some hard-coded commonly used value, such as 1024x768x24 or something.

Child Tickets

Change History (4)

comment:1 Changed 5 years ago by sleurn

Similarly, with the same machine running 32-bit Debian Linux:

Debian's Iceweasel 24.8.1 (independently of whether the menu bar is shown or not) is shown as 1024x600x24 ("one in 170.71 browsers have this value")

Whereas tor-browser-linux32-4.0.1_en-US.tar.xz (menu bar always disabled) results in 1024x442x24 ("one in 157942.53 browsers have this value")

comment:2 Changed 5 years ago by gk

The values are hard-coded to a multiple of 200x100. That is unless you start resizing your screen. Are you doing that?

comment:3 in reply to:  2 ; Changed 5 years ago by sleurn

Replying to gk:

The values are hard-coded to a multiple of 200x100. That is unless you start resizing your screen. Are you doing that?

No, I don't. The above was with its window maximized. (I.e. not the default window size it starts up with on first run after unpacking into a new directory, which is smaller, but the one resulting from using the "maximize" window button.)

My usage scenario is:

  • Download the new TBB version
  • Delete the old "Tor Browser" folder
  • Unpack the new version into the same directory as the old one. (I.e., re-creating the "Tor Browser" folder. Which, though, is not on the desktop.)
  • On first run:
    • Using the NoScript button, "Forbid scripts globally"
    • Hide the menu bar
    • In the browser options -> Advanced -> General, disable "Use smooth scrolling"

For the "panopticlick" test I did the "Temporarily allow all this page" with the NoScript button. Since resolution detection requires javascript.

But you are right that it changes when resized, e.g., I made it significantly smaller and got 622x296x24 (same version on WinXP).

comment:4 in reply to:  3 Changed 5 years ago by gk

Resolution: duplicate
Status: newclosed

Replying to sleurn:

Replying to gk:

The values are hard-coded to a multiple of 200x100. That is unless you start resizing your screen. Are you doing that?

No, I don't. The above was with its window maximized. (I.e. not the default window size it starts up with on first run after unpacking into a new directory, which is smaller, but the one resulting from using the "maximize" window button.)

Hmm... how is maximizing the window not a kind of resizing? Anyway, this issue is tracked in #7256 and/or #7255.

Note: See TracTickets for help on using tickets.