Opened 4 months ago

Last modified 4 months ago

#29564 new defect

DOMRect on at least Linux is not consistent

Reported by: Thorin Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-fingerprinting
Cc: mcs Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Test site: https://ghacksuserjs.github.io/TorZillaPrint/TorZillaPrint.html#domrect

Note: this is the same code as used by [2] which is based on [3]

[2] https://canvasblocker.kkapsner.de/test/domRectTest.html
[3] https://browserleaks.com/rects

I expect differences between OS (Windows vs Linux vs macOS etc), but not between platforms (Ubuntu vs Debian). My test suite is not definitive, so there may be others: results

Win7/10:
2380796ca1fab68e105199501407219d670114c99e0cee1cf176e03a04bad769
good

Mint, Ubuntu, openSUSE
8607449084c2811952029f052ef158346f4c850795376e3de41ed3ea229add6b
good

Debian
bb24643dfd4856c875a2b8dd877b5ec76626c2d88b77c963e20c8f788823e420
not good

Child Tickets

Change History (4)

comment:1 Changed 4 months ago by gk

Keywords: tbb-fingerprinting added; tbb-fingerprinting-os removed
Priority: MediumHigh

comment:3 Changed 4 months ago by gk

Cc: mcs added

Seems this is actually a duplicate of #18500. I guess we dupe the older ticket to this one, though, as we have more info here.

Useful info in the #18500 description is:

​http://jcarlosnorte.com/security/2016/03/06/advanced-tor-browser-fingerprinting.html claims that getClientRects() provides a lot of differences between two computers. This is "[d]epending on the resolution, font configuration and lots of other factors".

comment:4 Changed 4 months ago by flngerprlnt

Not only DOMRect readouts of HTML elements (text transformations, buttons, progress elements, ...) itself are fingerprintable
(https://privacycheck.sec.lrz.de/active/fp_gcr/fp_getclientrects.html)

but DOMRect also makes for example

MathML Fingerprinting (https://privacycheck.sec.lrz.de/active/fp_ml/fp_ml.html)
Emoji Fingerprinting (https://privacycheck.sec.lrz.de/active/fp_e/fp_emoji.html)

more effective.

Note: See TracTickets for help on using tickets.