Opened 11 months ago

Closed 11 months ago

Last modified 10 months ago

#31512 closed enhancement (invalid)

Fingerprinting of Tor Browser

Reported by: thelamper Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Major Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

The official advice from the Tor Project is not alter any settings in the Tor Browser, like installing browser extensions, because this will make the individual browser less unique and more vulnerable to fingerprinting. But, as long as javascript is enabled, the individual Tor Browser seems to have a more or less unique fingerprint. Most people are probably aware of the panopticlick and amiunique fingerprinting tests, but there are also these two sites: (brax.me/geo/) and (tor.triop.se/) which assigns a unique identifying number to a user's tor browser that remains more or less constant, until javascript is disabled.

My question-proposal is this. Since the Tor Browser (with javascript enabled) is not wholly resistant to fingerprinting, why not install a user-agent switcher or some other browser extension that can spoof details about the browser? Sure it will make the individual Tor Browser behave differently but is that such a bad thing when it can already be identified and potentially tracked across website visits?

I have tested one user-agent switcher (gitlab.com/ntninja/user-agent-switcher) and it provides only partial protection - despite setting it to random mode, changing every minute, the same fingerprint codes appear from time to time
Can anyone suggest a better user-agent switcher than this one?

I don't know if this sub-topic has been addressed elsewhere in the forums, so you are welcome to link it to a pre-existing ticket.

Child Tickets

Change History (14)

comment:1 Changed 11 months ago by boklm

Resolution: invalid
Status: newclosed

The user-agent string is the same for all Tor Browser users, so it is not a fingerprinting vector, and installing a user-agent switcher will not improve things here (and actually make things worse when you are the only one doing it).

Regarding randomization of the user-agent, you can read the section "Strategies for Defense: Randomization versus Uniformity" in the Tor Browser design documentation: https://2019.www.torproject.org/projects/torbrowser/design/

comment:2 Changed 11 months ago by cypherpunks

Maybe, better to remove keywords also.

comment:3 Changed 11 months ago by boklm

Keywords: fingerprinting fingerprint user-agent switcher removed
Version: Tor: unspecified

comment:4 Changed 11 months ago by tom

https://tor.triop.se/ identifies the version of Tor Browser used (and sometimes OS). It doesn't identify users uniquely. If anything, it confirms that we're doing a pretty good job that someone smart poked at this and this was the best they could do.

brax.me/geo/ is a bit harder to read - the code isn't as clean/well documented. But I'm not given much confidence by it with comments like "it's impossible to detect incognito mode". It does some WebGL fingerprinting, and AudioContext, but aside from those I don't see anything particurally inventive or concerning.

comment:5 in reply to:  4 Changed 11 months ago by Thorin

Replying to tom:

https://tor.triop.se/ identifies the version of Tor Browser used (and sometimes OS). It doesn't identify users uniquely. If anything, it confirms that we're doing a pretty good job that someone smart poked at this and this was the best they could do.

https://github.com/jonaslejon/tor-fingerprint/blob/master/tor-fingerprint.js : I've looked at this code in the past, several times

On both Windows 7 and Linux Mint, it does not detect (for me) Tor Browser (8.5.4), or the version, or even the major OS.

The fingerprint does change though, so there is entropy in that: I'll re-look at it if you want.

  • my Linux Mint (VM): Fingerprint: -1609407044, -950496277
  • my Win7 (bare metal): Fingerprint: 427398366, 278677235

---

Detecting Tor Browser: all TB's are the same in this metric. It's actually already trivial and 100% reliable to detect this via other methods.

Detecting version: Tor Browsers should be up-to-date and should all report the same on this metric (major version e.g 8 or 9: or if based on ESR60 or 68 etc). It's actually already trivial and 100% reliable to detect this via other methods.

Detecting OS: It's actually already trivial and 100% reliable to detect this via other methods. And right now, the JS navigator will actually tell you (for now: that may change: why give away free entropy when we don't have to). It's almost impossible to hide your major OS.

The only other thing of interest here might be detecting Tails. Or if you're using a VM (which I have a PoC for: but won't be sharing in here)

--

I'll have a look at the other one later

Last edited 11 months ago by Thorin (previous) (diff)

comment:6 Changed 11 months ago by Thorin

https://thorin-oakenpants.github.io/testing/debugtriop.html

The fingerprints differ per OS due to a few navigator properties (which we did deliberately). That's all. The above link breaks down both FP's

The ChkTorButton function no longer works for two reasons:

  • the resource being checked no longer exists
  • Synchronous XMLHttpRequest on the main thread is deprecated anyway

All the rest on the original PoC is based on the fingerprint, which includes the ChkTorButton value: and this is broken now: returning a NetworkError. Even if it wasn't broken, the fingerprints don't leak anything except OS: which ... see previous post

comment:7 Changed 11 months ago by Thorin

https://brax.me/geo/ fingerprinting is using https://github.com/Valve/fingerprintjs2

  • view-source:https://brax.me/geo/fingerprint2.js

There is absolutely nothing new here. I've studied this source in depth

  • webaudio is disabled in TB
  • webgl doesn't render anything: readPixels is disabled but not sure about on click to play: sorry: haven't keep up to date on this
  • webgl vendor & renderer are already covered
  • navigator properties reveal OS: see previous comments
  • fonts reveal OS

Entropy within OS fonts (despite the whitelist) is covered elsewhere

comment:8 Changed 10 months ago by thelamper

Both of those fingerprinting tests (brax.me/geo/) and (tor.triop.se/) fail with javascript disabled ie they cannot generate a 'unique identifying number'.

Does having javascript disabled make it harder to fingerprint individual Tor users ie it reduces the data leaked by the user's browser to the website in question? The panopticlick and amiunique tests suggest that disabling JS helps users blend in with the crowd by reducing their uniqueness.

Or is it generally viewed by the Tor Project as safe (ie non-fingerprintable) for Tor users to browse the web with javascript enabled?

comment:9 in reply to:  8 Changed 10 months ago by Thorin

Replying to thelamper:

Does having javascript disabled make it harder to fingerprint individual Tor users

Absolutely. Reducing the attack surface (by disabling JS) removes a lot of the FPing metrics possible.

Or is it generally viewed by the Tor Project as safe (ie non-fingerprintable) for Tor users to browse the web with javascript enabled?

My view is that it's always a work in progress but the anti-FPing in Tor Browser is very mature at this stage. Instead, adapt to your threat model, and use the security slider.

comment:10 Changed 10 months ago by thelamper

Replying to Thorin:

Testing tor.triop.se/, with Win10, I get the same 'unique identifying numbers' as your Win7: 427398366, 278677235. Confirms the point about the operating system.

Testing brax.me/geo, with Win10, my 'unique identifying number' changes from time to time but sometimes is constant which I dont have an explanation for.

comment:11 Changed 10 months ago by Thorin

Not sure on brax.me not providing a static fingerprint for you. Does it ever change back to a previous fingerprint? Did it only change between releases?

Examples: toggling the toolbar on/off: anything that changes chrome will affect the FP (until letterboxing kicks in). In the case of the toolbar, if enabled, this even affects new windows: you will find there is a glitch since FF57 (Quantum) where the height is always short by x pixels depending on the OS (but consistent x pixels per OS). And toolbar density also affects this. So it could be you had the toolbar showing some times, and others, not. Or maybe the browser window had been inadvertently resized <-- I suspect this

Long story short, the fingerprintjs2 techniques are all covered, and if their "unique fingerprint" isn't very stable, then they're not doing a very good job at it :) But I don't suspect that's the case: TB doesn't (yet) use randomizing.

At the end of the day: there's nothing here that isn't known about and covered. Paste view-source:https://brax.me/geo/fingerprint2.js into the urlbar, scroll almost to the end (very end and page up twice) and look at the var components list

Maybe keep a record of the FP hashes: and check your inner window res at the same time

Edit: Ahh OK, it's got a "show details" ... keep a record so you can tell what changed

Last edited 10 months ago by Thorin (previous) (diff)

comment:12 Changed 10 months ago by thelamper

The fingerprint code (ostensibly a 'uniquely identifying number') on the brax.me/geo website does change back to a previous fingerprint sometimes, and is sometimes stable. Its very hard to tell. Too many variables.

Anyway good to know that this is not news to the Tor Project. thanks for all the detail.

comment:13 Changed 10 months ago by Thorin

FYI: it could also be if you inadvertently toggled the menu bar on with the alt key (it's not necessarily something you would notice). I'm 99% convinced its your inner window measurements getting altered

comment:14 Changed 10 months ago by thelamper

Is everyone here aware of this cross-browser fingerprinting method? http://uniquemachine.org/
#
More info available here :
https://arstechnica.com/information-technology/2017/02/now-sites-can-fingerprint-you-online-even-when-you-use-multiple-browsers/
http://yinzhicao.org/TrackingFree/crossbrowsertracking_NDSS17.pdf

If this is already discussed point me to the relevant ticket.

Disabling javascript is the obvious defense to this. webGL is already disabled by default in the Tor Browser, so all ok there right? disabling the microphone is another measure to take. i cant see that WindowsOS has the option to disable speakers aside from turning the volume down to 0 for all apps (or for just for the Tor Browser). is running the Tor Browser in a virtual machine or in Tails a bit overkill to be absolutely sure of preventing cross-browser fingerprinting?

I tested the uniquemachine.org webpage on the Tor Browser on my device and it got stuck on 'fingerprinting GPU' and the display of graphics. probably due to webGL disabled but i cant be certain.

Note: See TracTickets for help on using tickets.