Opened 3 years ago

Last modified 3 years ago

#18283 new defect

Usage of native GUI controls for web content rendering allows fingerprinting

Reported by: cypherpunks Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-fingerprinting
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

TBB is using native OS GUI controls in Web content (scrollbars, check boxes, comba boxes, ...).

If a user has customized the OS UI settings (e.g. scrollbar size) or installed a custom OS theme, a web page can detect the different control metrics.

This applies at least on Windows. On Linux, TBB appears to ignore the GTK OS config.

Child Tickets

TicketStatusOwnerSummaryComponent
#22137newtbb-teamProvide the same scrollbar size across different platformsApplications/Tor Browser

Attachments (1)

gui-control-demo.html (912 bytes) - added by cypherpunks 3 years ago.
demo

Download all attachments as: .zip

Change History (6)

comment:1 Changed 3 years ago by cypherpunks

Component: - Select a componentTor Browser
Owner: set to tbb-team

comment:2 Changed 3 years ago by gk

Keywords: tbb-fingerprinting added

comment:3 Changed 3 years ago by cypherpunks

Could you provide a demo, please?

Changed 3 years ago by cypherpunks

Attachment: gui-control-demo.html added

demo

comment:4 in reply to:  3 Changed 3 years ago by cypherpunks

Replying to cypherpunks:

Could you provide a demo, please?

I added an attachment to the ticket. You need to enable Javascript.

Changing the Windows theme (e.g. between Aero/Basic/Classic or some 3rd party theme) or customizing the scrollbar size changes the height values.

You need to restart the browser for theme changes to take effect. Firefox only reads the theme at startup.

comment:5 Changed 3 years ago by torrified

I said it before and I'll say it again!

Control Metrics and what does this mean?

This is simply looking at the 'Differences' and seeing how you compare.

If everyone using the Tor browser for Linux uses a default theme added to Tor, then there is no issue, this only comes into play when you Stand Out from the Crowd!

There is a hell of a lot more concern to Security, Privacy & Anonymity, then changing a look, this is tinfoil rubbish! Talking like this, shows people haven't an understanding of true computer security and where the real threats are at, not the look of a browser or it's different settings.

Let me make this Clear, you are talking about the Exterior of computing and trying to apply it, when the Interior, what is underneath the hood of the OS, is where the real importance is!

TOR is only a Layer and only as Good as those using it! ---> FACT

So let's please knock off the Tinfoil Hat Theories of computer security!

GUI Controls for Fingerprints LOL!

An experienced user, that applies correct security and privacy on their end doesn't need to worry about browser fingerprinting, it's utter nonsense!

HELLO, Tor applying the same in the Tor Browser bundle that everyone on the planet is using, is not a fingerprinting issue!

Let's also consider other facts!

1 person out of a million with a different setting, now you're going to find this 1 person out of a million, that knows how to use various layers of technology? Seriously, how easy do you think this is going to be? Again, the point of all this as Tinfoil....

Looking for a needle as they say in the haystack! LOL

Last edited 3 years ago by torrified (previous) (diff)
Note: See TracTickets for help on using tickets.