#25179 closed defect (invalid)

identity leakage, resolution

Reported by: y2875095 Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: tbb-team Sponsor:

Description

Tor browser is right about possible identity leak via resolution (plugins and such)

but...

Setting browser to custom resolution will give even MORE INFO!

Use most popular resolution (less indentifying information), not most custom one (most precise identification)...

Tor browser should send fake resolution every time...

You don't walk with custom costume when you want to hide yourself...

Child Tickets

Change History (5)

comment:1 Changed 22 months ago by y2875095

Component: - Select a componentApplications/Tor Browser
Keywords: tbb-security added; browswer security removed
Owner: set to tbb-team
Reviewer: tbb-team

comment:2 Changed 22 months ago by gk

Keywords: tbb-security removed
Priority: Very HighMedium
Resolution: invalid
Severity: CriticalNormal
Status: newclosed

Fake properties are probably not working pretty well. The idea is to make all Tor Browser users as uniform as possible. See: https://www.torproject.org/projects/torbrowser/design/#fingerprinting-linkability.

comment:3 Changed 22 months ago by y2875095

make all Tor Browser users as uniform as possible

Yes, Tor users should be uniform: between each other and among users of "real" browsers.

Until a certain time, the browser asked to change the resolution in order to "hide"... But more information for fingerprints won't "hide" anyone.

I'm not sure about current or latests versions.

2 Device and Hardware Characteristics ...
... and prefer to either alter functionality to prevent exposing the most variable aspects of these characteristics ...

Resolution and responsive CSS selectors may leak variable resolution

1 Value Spoofing...
... user's configuration details, devices, hardware ...

comment:4 Changed 22 months ago by y2875095

Resolution: invalid
Severity: NormalCritical
Status: closedreopened

Up to 20 bits of entropy isn't "normal" leak, but severe: panopticlick.eff.org

comment:5 in reply to:  3 Changed 22 months ago by gk

Resolution: invalid
Severity: CriticalNormal
Status: reopenedclosed

Replying to y2875095:

make all Tor Browser users as uniform as possible

Yes, Tor users should be uniform: between each other and among users of "real" browsers.

It's probably not feasible to blend into, say, users of Chrome as the differences are too big. The goal is to make *Tor Browser* users uniform.

Looking at Panopticlick is exactly for the above reasons not a good idea: it contains non-Tor Browser data as well which is skewing the result.

Note: See TracTickets for help on using tickets.