Opened 5 years ago
Last modified 15 months ago
#14098 new defect
TBB still doesn't round windows in some cases
| Reported by: | cypherpunks | Owned by: | tbb-team |
|---|---|---|---|
| Priority: | Medium | Milestone: | |
| Component: | Applications/Tor Browser | Version: | |
| Severity: | Normal | Keywords: | tbb-fingerprinting-resolution |
| Cc: | arthuredelstein, randybytes, joebtfsplk@…, adrelanos | Actual Points: | |
| Parent ID: | Points: | ||
| Reviewer: | Sponsor: |
Description
I understand TBB does something to reduce the fingerprintability of the browser window size, but apparently it isn't enough as https://panopticlick.eff.org/ says they've never seen my screen size before. I'm using the latest TBB on the latest debian stable with the dwm window manager.
Could TBB please round the size to a larger interval so that I look like a more typical user? Thanks.
Child Tickets
Change History (25)
comment:1 Changed 5 years ago by
comment:2 follow-up: 6 Changed 5 years ago by
it looks like someone has already attempted to block the screenX and screenY, but it is not happening, window.screen property has the correct information available. https://github.com/tomrittervg/tor-browser/blob/70783c6cdb4bb0ce88fa17e814dc67fddc6ce078/dom/base/nsGlobalWindow.cpp#L4352
comment:3 Changed 5 years ago by
| Component: | - Select a component → Tor Browser |
|---|---|
| Keywords: | tbb-fingerprintability added |
| Owner: | set to tbb-team |
comment:4 Changed 5 years ago by
| Keywords: | tbb-fingerprinting added; tbb-fingerprintability removed |
|---|
comment:5 Changed 5 years ago by
Replying to cypherpunks:
I understand TBB does something to reduce the fingerprintability of the browser window size, but apparently it isn't enough as https://panopticlick.eff.org/ says they've never seen my screen size before. I'm using the latest TBB on the latest debian stable with the dwm window manager.
Could TBB please round the size to a larger interval so that I look like a more typical user? Thanks.
For screen size, Tor Browser reports your window size. Unless you resized the browser window, the size should be a multiple of 100. What size was reported by https://panopticlick.eff.org/ ?
Also see #13650.
comment:6 follow-up: 9 Changed 5 years ago by
Replying to randybytes:
it looks like someone has already attempted to block the screenX and screenY, but it is not happening, window.screen property has the correct information available. https://github.com/tomrittervg/tor-browser/blob/70783c6cdb4bb0ce88fa17e814dc67fddc6ce078/dom/base/nsGlobalWindow.cpp#L4352
Access to properties within window.screen has been patched as well. Are you seeing a case where window.screen leaks the actual display dimensions or other info?
comment:7 Changed 5 years ago by
| Cc: | arthuredelstein added |
|---|
comment:8 Changed 5 years ago by
| Cc: | randybytes added |
|---|
comment:9 follow-up: 11 Changed 5 years ago by
Replying to mcs:
Access to properties within window.screen has been patched as well. Are you seeing a case where window.screen leaks the actual display dimensions or other info?
Are you seeing a case where window.screen leaks the actual display dimensions or other info?
Yes, on the Tor Browser bundle 4.03 with windows 8.1 leaks the actual display dimensions:
On https://panopticlick.eff.org it leaks:
Screen Size and Color Depth: 1366x633x24
which only 1 in 82820.68 browsers have this value.
from the javascript console window.screen shows:
Screen { availWidth: 1366, availHeight: 383, width: 1366, height: 383, colorDepth: 24, ...
Thanks for replying, is their any diagnostic information that could help?
comment:10 Changed 5 years ago by
Replying to cypherpunks:
I understand TBB does something to reduce the fingerprintability of the browser window size, but apparently it isn't enough as https://panopticlick.eff.org/ says they've never seen my screen size before. I'm using the latest TBB on the latest debian stable with the dwm window manager.
Could TBB please round the size to a larger interval so that I look like a more typical user? Thanks.
Window size quantization seems to be iffy with tiling dwm. If you're using the tiling mode, try switching to stacking.
comment:11 follow-up: 12 Changed 5 years ago by
Replying to randybytes:
Replying to mcs:
Access to properties within window.screen has been patched as well. Are you seeing a case where window.screen leaks the actual display dimensions or other info?
Are you seeing a case where window.screen leaks the actual display dimensions or other info?
Yes, on the Tor Browser bundle 4.03 with windows 8.1 leaks the actual display dimensions:
On https://panopticlick.eff.org it leaks:
Screen Size and Color Depth: 1366x633x24
which only 1 in 82820.68 browsers have this value.
from the javascript console window.screen shows:
Screen { availWidth: 1366, availHeight: 383, width: 1366, height: 383, colorDepth: 24, ...
Thanks for replying, is their any diagnostic information that could help?
Are you resizing/maximizing your browser window? If so, then this is the cause of the unusual screen size. Our defense is not working with resized/maximized windows yet.
comment:12 follow-up: 15 Changed 5 years ago by
Replying to gk:
Replying to randybytes:
Replying to mcs:
Access to properties within window.screen has been patched as well. Are you seeing a case where window.screen leaks the actual display dimensions or other info?
Are you seeing a case where window.screen leaks the actual display dimensions or other info?
Yes, on the Tor Browser bundle 4.03 with windows 8.1 leaks the actual display dimensions:
On https://panopticlick.eff.org it leaks:
Screen Size and Color Depth: 1366x633x24
which only 1 in 82820.68 browsers have this value.
from the javascript console window.screen shows:
Screen { availWidth: 1366, availHeight: 383, width: 1366, height: 383, colorDepth: 24, ...
Thanks for replying, is their any diagnostic information that could help?
Are you resizing/maximizing your browser window? If so, then this is the cause of the unusual screen size. Our defense is not working with resized/maximized windows yet.
When I start the browser in windowed mode, without any resizing or maximization I get:
Screen Size and Color Depth:
one in x browsers have this value: 621890.75
value: 1004x535x24
So even with no alterations to the window, I am not getting any protection on my platform. 1 in 62K could identify my computer.
comment:13 Changed 5 years ago by
| Keywords: | tbb-fingerprinting-resolution added; tbb-fingerprinting removed |
|---|
comment:14 Changed 5 years ago by
| Summary: | TBB still fingerprintable by screen size → TBB still doesn't round windows in some cases |
|---|
comment:15 Changed 5 years ago by
Replying to randybytes:
When I start the browser in windowed mode, without any resizing or maximization I get:
Screen Size and Color Depth:
one in x browsers have this value: 621890.75
value: 1004x535x24
So even with no alterations to the window, I am not getting any protection on my platform. 1 in 62K could identify my computer.
Could you set extensions.torbutton.loglevel to 3 and click on New Identity? I'd like to have a look at the log output after "Torbutton INFO: New window" which you should find in your browser console (CTRL + SHIFT + J).
comment:16 Changed 5 years ago by
| Keywords: | TorBrowserTeam201502 added |
|---|
comment:17 Changed 5 years ago by
| Keywords: | TorBrowserTeam201503 added; TorBrowserTeam201502 removed |
|---|
I am really hoping we can call this a dup of #14429, but putting this month's tag on it to track that.
comment:18 Changed 5 years ago by
| Keywords: | TorBrowserTeam201504 added; TorBrowserTeam201503 removed |
|---|
comment:19 Changed 5 years ago by
| Keywords: | TorBrowserTeam201505 added; TorBrowserTeam201504 removed |
|---|
comment:20 Changed 5 years ago by
| Keywords: | TorBrowserTeam201506 added; TorBrowserTeam201505 removed |
|---|
comment:21 Changed 5 years ago by
| Keywords: | TorBrowserTeam201507 added; TorBrowserTeam201506 removed |
|---|
Move over remaining June items to July
comment:22 Changed 5 years ago by
| Keywords: | TorBrowserTeam201507 removed |
|---|
comment:23 Changed 3 years ago by
| Cc: | joebtfsplk@… added |
|---|---|
| Severity: | → Normal |
Other case where TBB (Win) still doesn't round screen size correctly (now in v6.08).
If Windows' DPI is left default 96, then as of 01/05/2017, sites report TBB initial start size 1000 W x 900 H, on a 1920x1080, 4:3, 22 inch monitor. Is that the best possible on this size / shape monitor? Since 50 - 75 or 90% ?? of desktop monitors today are probably widescreen (common 4:3), why a nearly square TBB screen that's < half the monitor?
But for many folks with < 20/20 vision or focusing issues, when Windows DPI is increased (say 110), then sites still report 1000 W, but an odd height (like 729) - never a multiple of 100.
That's starting TBB normally & not touching a button. Same issue in a fresh TBB D/L, clean install in new folder, leaving all default settings.
Why can TBB correctly round the width but not height when system DPI is changed? AFAIK, it's never correctly rounded both height & width, if Widows DPI was changed from default.
comment:24 Changed 3 years ago by
| Cc: | adrelanos added |
|---|
Confirming this also effects TBB on windows 8.1. I think this should be a high priority bug.