Opened 13 months ago

Closed 13 months ago

Last modified 13 months ago

#27196 closed defect (worksforme)

TB 8a10 and panopticlick: your browser has a unique fingerprint

Reported by: traumschule Owned by: erinn
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: ff60-esr, tbb-usability tbb-security, tbb-performance
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

The bundle works fine, thanks for your great work!

I am surprised by the new yellow blinking triangle over the onion settings button. What does it mean? (The tooltip only says "Tor Enabled")

Update NoScript to 10.1.8.16

In NoScript preferences the list of per-site definitions was empty, I added a site and clicked on reset: a lot of whitelisted domains appeared (#26517).

Trackers

As discussed before (#12958), blocking content allows fingerprinting, instead you suggest "an identical blocklist for every user. For example, AdBlock Plus with a fixed set of filters." Do you have plans to do this? (I am aware of your answers for uMatrix and ublock origin and spare you to repost everything :)
(mentioning Riseup's recommendations + requestblock for a balanced perspective, because I do not follow the conclusion that external requests should be accepted just not to be finger-printable. For me personally it's worse, when trackers know that I visited a site.)

#14924 sounds reasonable.

EFF/Panopticlick

wants me to install privacybadger (not voting for it here, because of #12958)
Is your browser blocking tracking ads? ⚠ partial protection
Is your browser blocking invisible trackers? ⚠ partial protection
Does your blocker stop trackers that are included in the so-called “acceptable ads” whitelist? ✗ no
Does your browser unblock 3rd parties that promise to honor Do Not Track? ✗ no
Does your browser protect from fingerprinting? ✗
your browser has a unique fingerprint
https://share.riseup.net/#3RwdPLNSuFFZcK9MA_6l8g

I consider the defaults dangerous (window size). Why not setting the security slider to "Safest" per default?

Child Tickets

Change History (6)

comment:1 in reply to:  description Changed 13 months ago by ProTipGuyFWIWWeLoveARMA

Replying to traumschule:

Trackers

As discussed before (#12958), blocking content allows fingerprinting, instead you suggest "an identical blocklist for every user. For example, AdBlock Plus with a fixed set of filters." Do you have plans to do this? (I am aware of your answers for uMatrix and ublock origin and spare you to repost everything :)
(mentioning Riseup's recommendations + requestblock for a balanced perspective, because I do not follow the conclusion that external requests should be accepted just not to be finger-printable. For me personally it's worse, when trackers know that I visited a site.)

Trackers won't know who the "I" is so it's at worst harmless. The arguments for a tracker blocker including one are mainly - as I see it - about performance. Also Arthur voiced support for such a proposal. There's also another proposal for adding Decentraleyes which (doesn't block trackers) provides JS libraries locally instead and blocks resolving them through a CDN: #22089, it sounds good and doesn't suffer the problems with a tracker blocker but has not received any response so far from tb-devs.

#14924 sounds reasonable.

Yes.

EFF/Panopticlick

wants me to install privacybadger (not voting for it here, because of #12958)
Is your browser blocking tracking ads? ⚠ partial protection
Is your browser blocking invisible trackers? ⚠ partial protection
Does your blocker stop trackers that are included in the so-called “acceptable ads” whitelist? ✗ no
Does your browser unblock 3rd parties that promise to honor Do Not Track? ✗ no
Does your browser protect from fingerprinting? ✗
your browser has a unique fingerprint
https://share.riseup.net/#3RwdPLNSuFFZcK9MA_6l8g

What is going on with your browser window size? It doesn't appear to be normal. You can test as well here: https://fpcentral.tbb.torproject.org/fp Because that's the only thing that leaks much entropy in your side (here's hoping tbb devs will actually fix the user agent as well to not leak OS for most sites and most trackers).

I consider the defaults dangerous (window size). Why not setting the security slider to "Safest" per default?

Captain Mike has a nice breakdown explanation: https://lists.torproject.org/pipermail/tor-talk/2012-May/024227.html

comment:2 in reply to:  description Changed 13 months ago by gk

Resolution: worksforme
Status: newclosed

Replying to traumschule:

The bundle works fine, thanks for your great work!

Thanks!

I am surprised by the new yellow blinking triangle over the onion settings button. What does it mean? (The tooltip only says "Tor Enabled")

8.0a10 is not released yet, thus you get the warning icon that indicates you are running a non-approved (and possibly dangerous to use Tor Browser).

Trackers

As discussed before (#12958), blocking content allows fingerprinting, instead you suggest "an identical blocklist for every user. For example, AdBlock Plus with a fixed set of filters." Do you have plans to do this?

No.

#14924 sounds reasonable.

EFF/Panopticlick

wants me to install privacybadger (not voting for it here, because of #12958)
Is your browser blocking tracking ads? ⚠ partial protection
Is your browser blocking invisible trackers? ⚠ partial protection
Does your blocker stop trackers that are included in the so-called “acceptable ads” whitelist? ✗ no
Does your browser unblock 3rd parties that promise to honor Do Not Track? ✗ no
Does your browser protect from fingerprinting? ✗
your browser has a unique fingerprint
https://share.riseup.net/#3RwdPLNSuFFZcK9MA_6l8g

Panopticlick is not a good platform to test Tor Browser for fingerprinting resistance on because of its bias due to older browser configurations and all the other browsers that are in the database and which your values are checked against to find out the uniqueness of your configuration. Re your screen size: do you get that with a clean, new 8.0a10 without any modifications? You should have a config rounded to a multiple of 200x100.

comment:3 Changed 13 months ago by gk

Component: Applications/Tor bundles/installationApplications/Tor Browser

comment:4 Changed 13 months ago by traumschule

Re your screen size: do you get that with a clean, new 8.0a10 without any modifications? You should have a config rounded to a multiple of 200x100.

What is going on with your browser window size? It doesn't appear to be normal. You can test as well here: ​https://fpcentral.tbb.torproject.org/fp Because that's the only thing that leaks much entropy in your side (here's hoping tbb devs will actually fix the user agent as well to not leak OS for most sites and most trackers).

On i3 new windows are maximized, one needs to alt+shift+space them to window mode (or use other means), now it's at 1000x700x24.
maximized: https://share.riseup.net/#MHCMLo2EsW25uIvO06JRvA
windowed: https://share.riseup.net/#NQZiSG3GIGbgmEgIliSltw
The security slider has no effect at this point. Also i wonder why TB does not show a warning when maximized, it did that ago.

comment:5 in reply to:  4 Changed 13 months ago by CensorAllTheThings

Replying to traumschule:

The security slider has no effect at this point. Also i wonder why TB does not show a warning when maximized, it did that ago.

That happened to me too but it's actually normal, after some maximizing attempts the warning no longer shows up.

Note: See TracTickets for help on using tickets.