Opened 8 years ago

Closed 7 years ago

#3642 closed defect (not a bug)

Some fingerprinting techniques + testcases

Reported by: arno Owned by: mikeperry
Priority: Medium Milestone:
Component: TorBrowserButton Version:
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


I discovered (at least, I have not read about those methods anywhere) two new ways to fingerprint browser a little more.

First, a user can define a user stylesheet where in can set default or overriding (with !important declaration) properties. This stylesheet can be userContent.css file in profile directory, but it can also be other pages set by extensions. This is often use for accessibility reasons (for example: set all pages white and black for people with some vision problems).

A few other properties can be set with preferences dialog: default color text, default anchor color. This properties can also be read by webpage.

I'm not sure what torbutton can do to mitigate this. May be register a stylesheet to reset all css properties to browser defaults.

Another thing a webpage can do is get the zoom value. This has not a big entropy, but is yet another metric.

See testcase here:

Child Tickets

Change History (4)

comment:1 Changed 8 years ago by arno

See also which is a way to detect available fonts without flash.

comment:2 Changed 8 years ago by arno

or alternatively, this method works with any font,

comment:3 Changed 8 years ago by mikeperry

Component: TorbuttonTorBrowserButton
Summary: more browser fingerprint techniques.Some fingerprinting techniques + testcases

comment:4 Changed 7 years ago by mikeperry

Resolution: not a bug
Status: newclosed

For the original point of the bug, I am not sure we want to go down the rabbit hole of protecting users from themselves (ie undoing custom installed stylesheets and hidden pref changes).

Note: See TracTickets for help on using tickets.