Opened 3 months ago

Closed 3 months ago

Last modified 3 months ago

#27257 closed defect (fixed)

In Tor Browser prefs, "dom.network.enabled" should have been "dom.netinfo.enabled"

Reported by: arthuredelstein Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-fingerprinting, tbb-mobile, ff60-esr, TorBrowserTeam201808R
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Seems to have been a typo from #5642. Lucky for us, this pref is disabled by default in Firefox desktop and also the API is disabled by privacy.resistFingerprinting thanks to https://bugzilla.mozilla.org/show_bug.cgi?id=1372072. We could set "dom.netinfo.enabled" to false just to be safe, or just remove the "dom.network.enabled" line altogether.

Child Tickets

Change History (7)

comment:1 Changed 3 months ago by arthuredelstein

Turns out it wasn't a typo, but dom.network.enabled was changed to dom.netinfo.enabled in https://hg.mozilla.org/mozilla-central/rev/ae8a5c6d6340

comment:2 Changed 3 months ago by gk

Testing it on an upcoming Tor Browser for Android shows "Connection type is unknown", so I assume the resistfingerprinting part is working here. Thus, I think we can just remove the pref.

comment:3 Changed 3 months ago by arthuredelstein

Keywords: TorBrowserTeam201808R added
Status: newneeds_review

comment:4 Changed 3 months ago by gk

Resolution: fixed
Status: needs_reviewclosed

Thanks, cherry-picked to tor-browser-60.1.0esr-8.0-1 (commit 03c692e334c33c21a2f50c5df75d839b93533e55).

comment:5 Changed 3 months ago by Thorin

dom.netinfo.enabled=false returns "unknown" but RFP returns "undefined"

You need to decide what you want to enforce as your TBB fingerprint. RFP "clashes" with a lot of other prefs you have flipped in the past. You'll have to evaluate each one on it's own in order to determine if the pref or RFP wins out. Or even which one gives better protection (eg media.video_stats.enabled=false disables the API, but RFP returns dynamically spoofed values .. so which do you want? which is less entropy or fits your threat model)

comment:6 Changed 3 months ago by tom

For RFP, where we could, we choose values that would keep the API functioning; just in a constant way.

Therefore I think we would want netinfo to return unknown, rather than undefined. If RFP says undefined; we should open a mozilla bug to correct it....

Last edited 3 months ago by tom (previous) (diff)

comment:7 Changed 3 months ago by Thorin

Actually, I have that back to front, sorry

Which is to be expected. The point was that you'll need to evaluate/revert past pref flipping

Note: See TracTickets for help on using tickets.