Opened 4 months ago

Closed 4 months ago

#29348 closed enhancement (duplicate)

Add userChrome to Tor Browser to spoof scrollbars to reduce fingerprinting surface

Reported by: concerneduser Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-fingerprinting-resolution
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

We all know that different systems have different scrollbars. I looked it up right now and Tor browser reports this values for the screen object:

width 1000
height 900
clientWidth 988 (yes I am on Linux)

I found this userChrome ( https://gist.github.com/mrkwatz/277fb19d210a7539304ca2388f24d8e3 ) and it makes the clientWidth become 1000 as intended (you obviously could also make the scrollbars the same width/height as on Windows, but I think this is a better approach). If something like this is included into standard Tor browser it would minimize segregation and thus allow users to use Tor on Linux/Mac while still appearing as Windows users.

Though keep in mind that (for whatever reason) Tor reports different values for the useragent in the HTTP header (Windows) and the JS navigator obj (Linux). This is strange but irrelevant for fingerprinting if the scrollbar thing is not tackled since it is the same result for anyone else. It would get relevant though if Tor applied the custom scrollbars.

Child Tickets

Change History (4)

comment:1 Changed 4 months ago by concerneduser

Sorry I cant seem to edit but I forget: I understand that there are other fingerprinting vectors that can still give your OS away (fonts seem like the most relevant one) but using the spoofed scrollbars helps users that want to use Tor in other ways.

comment:2 Changed 4 months ago by Thorin

The viewport will be standardized in https://bugzilla.mozilla.org/show_bug.cgi?id=1407366 and you will not be able to calculate the scrollbar width. I assume - i.e. I am not entirely sure where the scrollbar ends up in this patch - against the edge of the inner window, or in the viewport

Also note #22137 exists

Off-topic

Tor reports different values for the useragent in the HTTP header (Windows) and the JS navigator obj (Linux). This is strange

Not at all. It's a compromise (see #26146 if you want a LONG read) JS/navigator reveals 4 OSes (due to breakage), but HTTP Headers is limited to 2 (to reduce entropy). Sites that provide functionality based on OS/platform use JS naturally to detect that. But not all is lost, because hopefully, when https://bugzilla.mozilla.org/show_bug.cgi?id=1519122 lands, the JS/navigator can be reduced back to 2 OSes

there are other fingerprinting vectors that can still give your OS away

Indeed. The fonts differ between Tor Browser bundles. See https://ghacksuserjs.github.io/TorZillaPrint/TorZillaPrint.html#useragent - the [css] os result.

comment:3 Changed 4 months ago by Thorin

Also note that chrome affects the inner window. Showing the toolbar in windows makes Tor Browser (with density = compact) out by 2 pixels (loads as 1000x998). Using the findbar alters the inner window, as does toggling the menu on and off, or using the sidebar.

Using the viewport instead means zero chrome can alter the intended size, which will dynamically snap into preset sizes/steps. It also minimizes the issues with maximizing, going full screen, and resizing the browser

comment:4 in reply to:  3 Changed 4 months ago by gk

Keywords: tbb-fingerprinting-resolution added; scrollbar fingerprinting removed
Resolution: duplicate
Status: newclosed
Version: Tor: unspecified

Replying to Thorin:

Also note that chrome affects the inner window. Showing the toolbar in windows makes Tor Browser (with density = compact) out by 2 pixels (loads as 1000x998). Using the findbar alters the inner window, as does toggling the menu on and off, or using the sidebar.

Yes, that's #16456. Closing this ticket as a duplicate of #22137.

Note: See TracTickets for help on using tickets.