Opened 5 years ago

Last modified 4 years ago

#18283 new defect

Usage of native GUI controls for web content rendering allows fingerprinting

Reported by: cypherpunks Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-fingerprinting
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


TBB is using native OS GUI controls in Web content (scrollbars, check boxes, comba boxes, ...).

If a user has customized the OS UI settings (e.g. scrollbar size) or installed a custom OS theme, a web page can detect the different control metrics.

This applies at least on Windows. On Linux, TBB appears to ignore the GTK OS config.

Child Tickets

#22137newtbb-teamProvide the same scrollbar size across different platformsApplications/Tor Browser

Attachments (1)

gui-control-demo.html (912 bytes) - added by cypherpunks 5 years ago.

Download all attachments as: .zip

Change History (6)

comment:1 Changed 5 years ago by cypherpunks

Component: - Select a componentTor Browser
Owner: set to tbb-team

comment:2 Changed 5 years ago by gk

Keywords: tbb-fingerprinting added

comment:3 Changed 5 years ago by cypherpunks

Could you provide a demo, please?

Changed 5 years ago by cypherpunks

Attachment: gui-control-demo.html added


comment:4 in reply to:  3 Changed 5 years ago by cypherpunks

Replying to cypherpunks:

Could you provide a demo, please?

I added an attachment to the ticket. You need to enable Javascript.

Changing the Windows theme (e.g. between Aero/Basic/Classic or some 3rd party theme) or customizing the scrollbar size changes the height values.

You need to restart the browser for theme changes to take effect. Firefox only reads the theme at startup.

comment:5 Changed 4 years ago by torrified

I said it before and I'll say it again!

Control Metrics and what does this mean?

This is simply looking at the 'Differences' and seeing how you compare.

If everyone using the Tor browser for Linux uses a default theme added to Tor, then there is no issue, this only comes into play when you Stand Out from the Crowd!

There is a hell of a lot more concern to Security, Privacy & Anonymity, then changing a look, this is tinfoil rubbish! Talking like this, shows people haven't an understanding of true computer security and where the real threats are at, not the look of a browser or it's different settings.

Let me make this Clear, you are talking about the Exterior of computing and trying to apply it, when the Interior, what is underneath the hood of the OS, is where the real importance is!

TOR is only a Layer and only as Good as those using it! ---> FACT

So let's please knock off the Tinfoil Hat Theories of computer security!

GUI Controls for Fingerprints LOL!

An experienced user, that applies correct security and privacy on their end doesn't need to worry about browser fingerprinting, it's utter nonsense!

HELLO, Tor applying the same in the Tor Browser bundle that everyone on the planet is using, is not a fingerprinting issue!

Version 0, edited 4 years ago by torrified (next)
Note: See TracTickets for help on using tickets.