Opened 5 years ago

Closed 4 years ago

#17423 closed defect (fixed)

Look into Yan's browser fingerprinting tricks

Reported by: arthuredelstein Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-fingerprinting, tbb-linkability
Cc: zyan, mcs Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


Yan has a brilliant slide deck on browser fingerprinting, here:

We need to figure out which of these vulnerabilities Tor Browser has, and fix them. Do we need to isolate HSTS and HPKP caches to URL bar domain? Apparently #1517 (reduce JS time precision) helps protect Tor Browser from Yan's implementations, but there may be ways around that limitation.

There is also a demo here:

Child Tickets

Change History (5)

comment:1 Changed 5 years ago by zyan

(yan here)

I am fairly certain that the 301-redirect cache timing attack mentioned at the end is not feasible thanks to #1517, at least.

Note there is an chrome bug for a non-timing HSTS attack that has the same fingerprinting impact as Sniffly. I believe it works in Firefox as well.

Chrome fixed it and then reverted the fix because it broke things. TBB should probably just copy their original fix.

comment:2 Changed 5 years ago by gk

We have #6458 for the HSTS linkability issue.

comment:3 Changed 5 years ago by mcs

Cc: mcs added

comment:4 in reply to:  2 Changed 5 years ago by zyan

Replying to gk:

We have #6458 for the HSTS linkability issue.

Can you confirm my understanding of #6458?

  1. user visits, gets HSTS pin
  2. user visits with <img src="">. the browser makes the request over HTTP anyway because the user has never visited on before.

I think that would stop the Sniffly attack.

comment:5 Changed 4 years ago by gk

Keywords: tbb-linkability added
Resolution: fixed
Status: newclosed

Yes, I think your understanding is correct. Mike created #17965 for the HPKP issue in case we are not dealing with it in #6458. I first thought we should do that but think now both features are distinct enough that dealing with them in different tickets seems reasonable.

Note: See TracTickets for help on using tickets.