Trac issueshttps://gitlab.torproject.org/legacy/trac/-/issues2020-06-16T01:12:58Zhttps://gitlab.torproject.org/legacy/trac/-/issues/34157Backport Patch for Firefox Bug 1511941 - privacy.resistfingerprinting perform...2020-06-16T01:12:58ZTracBackport Patch for Firefox Bug 1511941 - privacy.resistfingerprinting performance API spoofing breaks vimeo.comFirefox bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1511941
I have attached a backported (to ESR68) version of my patch.
**Trac**:
**Username**: sankethFirefox bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1511941
I have attached a backported (to ESR68) version of my patch.
**Trac**:
**Username**: sankethhttps://gitlab.torproject.org/legacy/trac/-/issues/33465On Android, system locale is leaked in http headers2020-06-16T01:11:24ZboklmOn Android, system locale is leaked in http headersAccording to a user on the blog, system locale is being leaked in http headers:
https://blog.torproject.org/comment/286880#comment-286880
This should have been fixed by #26018. I think we should check if this fix is still working.According to a user on the blog, system locale is being leaked in http headers:
https://blog.torproject.org/comment/286880#comment-286880
This should have been fixed by #26018. I think we should check if this fix is still working.https://gitlab.torproject.org/legacy/trac/-/issues/33155Close cross-origin frame count leak2020-06-16T01:10:59ZMatthew FinkelClose cross-origin frame count leakhttps://bugzilla.mozilla.org/show_bug.cgi?id=1611534
We can start by always returning a length of 0 when the context is cross-origin.
I wonder what breakage we'll see from this.https://bugzilla.mozilla.org/show_bug.cgi?id=1611534
We can start by always returning a length of 0 when the context is cross-origin.
I wonder what breakage we'll see from this.https://gitlab.torproject.org/legacy/trac/-/issues/33094Add an about:config entry to force window size2020-06-16T01:10:57ZTracAdd an about:config entry to force window sizeCurrently letterboxing somewhat protects against window resize, but it's not really enough for tiling window managers for example, who will resize the window back and forth all the time. If there was an option to force the content size t...Currently letterboxing somewhat protects against window resize, but it's not really enough for tiling window managers for example, who will resize the window back and forth all the time. If there was an option to force the content size to always be 1000x1000 for example, I wouldn't have to worry about accidental or window manager-driven resizing of Tor Browser's window. This would also grant high protection against accidental window resizing or maximization, if someone's threat model requires it.
**Trac**:
**Username**: kromekhttps://gitlab.torproject.org/legacy/trac/-/issues/33079Disable dom.battery.enabled and dom.event.clipboardevents.enabled in about:co...2020-06-16T01:10:56ZTracDisable dom.battery.enabled and dom.event.clipboardevents.enabled in about:configIn about:config of TorBrowser 9.0.4
```
dom.battery.enabled = true
dom.event.clipboardevents.enabled = true
```
To avoid fingerprinting (and for privacy), why not disable them?
```
dom.battery.enabled = false
dom.event.clipboardevent...In about:config of TorBrowser 9.0.4
```
dom.battery.enabled = true
dom.event.clipboardevents.enabled = true
```
To avoid fingerprinting (and for privacy), why not disable them?
```
dom.battery.enabled = false
dom.event.clipboardevents.enabled = false
```
**Trac**:
**Username**: morarhttps://gitlab.torproject.org/legacy/trac/-/issues/32948Make referer behavior consistent regardless of private browing mode status2020-06-16T01:10:39ZcypherpunksMake referer behavior consistent regardless of private browing mode statusTor Browser's default [referrer policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy) when in private browsing mode is _strict-origin-when-cross-origin_, but when private browsing mode is turned off its refer...Tor Browser's default [referrer policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy) when in private browsing mode is _strict-origin-when-cross-origin_, but when private browsing mode is turned off its referrer policy is _no-referrer-when-downgrade_. This is governed by the `network.http.referer.defaultPolicy.pbmode` and `network.http.referer.defaultPolicy` preferences, documented [here](https://wiki.mozilla.org/Security/Referrer).
This means that by default Tor Browser strips the path component from the referer header when making cross-origin requests. But if private browsing mode is turned off, it sends the complete URL instead.
__Example__
User navigates to `https://example.org/page.html` and the browser makes a request for an embedded image located at `https://static.cdn.com/image.gif`
PBM = on, Referer = !https://example.org/
PBM = off, Referer = !https://example.org/page.html
This is undesirable because it makes it easy to passively detect TB users who have turned PBM off with nothing more than standard web server logs.
And although it is advised against, it is apparent from comments and discussions online that a number of users with relaxed security requirements turn off private browsing mode to take advantage of features such as the browser password manager and URL bar history suggestions.
For this reason, I think it would be good to remove this inonsistency. This can be accomplished by changing the default value of `network.http.referer.defaultPolicy` to 2 so that it matches that of its PBM counterpart (`network.http.referer.defaultPolicy.pbmode`). This would be in the interest of all TB users, not just those who turn off private browsing mode, because it increases uniformity.https://gitlab.torproject.org/legacy/trac/-/issues/32931Prevent Find (Ctrl+F) resizing letterbox on other tabs2020-06-16T01:10:38ZcypherpunksPrevent Find (Ctrl+F) resizing letterbox on other tabsSteps to reproduce:
1. At the default window size, open two tabs.
2. In one tab, open a domain/website.
3. In the other tab, physically type a different, unrelated domain/website, and open it. Physically type it so that the two tabs are ...Steps to reproduce:
1. At the default window size, open two tabs.
2. In one tab, open a domain/website.
3. In the other tab, physically type a different, unrelated domain/website, and open it. Physically type it so that the two tabs are as identifiably separate as they can be in one session. No referers or variables passed in click-through URLs.
4. Notice that each page's area fills the default window size to its edges as they are supposed to.
5. In the first tab, open the browser's Find box (Ctrl+F) as if you were searching for text on that page. Notice the vertical size of its letterboxed page area shrink as it's supposed to.
6. Click on the second tab to view the different, unrelated domain. Notice its tab does NOT have a Find box at the bottom, but its letterboxed page area shrunk nonetheless.
7. On the first tab, close the Find box. Notice the page area grow to its original size.
8. Click on the second tab that never had a Find box. Notice its page area has also grown to its original size.
Thus, opening Find on one tab passes the indication of its opened state to all tabs.
Expected result:
Opening Find in one tab would not affect the letterboxes of other tabs.https://gitlab.torproject.org/legacy/trac/-/issues/32922New cross-browser fingerprinting method2020-06-16T01:10:37ZTracNew cross-browser fingerprinting methodThis isnt really an enhancement, but is everyone here aware of this new cross-browser fingerprinting method? Have there been any tests of the current Tor Browser's resistance to this?
----------------------------
http://uniquemachine....This isnt really an enhancement, but is everyone here aware of this new cross-browser fingerprinting method? Have there been any tests of the current Tor Browser's resistance to this?
----------------------------
http://uniquemachine.org/
#
https://arstechnica.com/information-technology/2017/02/now-sites-can-fingerprint-you-online-even-when-you-use-multiple-browsers/
http://yinzhicao.org/TrackingFree/crossbrowsertracking_NDSS17.pdf
----------------------------
If already discussed elsewhere, redirect to relevant ticket.
I tested the uniquemachine.org webpage on the Tor Browser on a computer running Windows10 and it got stuck on 'fingerprinting GPU' and the display of graphics - probably due to webGL disabled but i cant be sure.
In terms of defenses to this:
- Disabling javascript is the obvious. webGL is already disabled by default in the Tor Browser, so all ok there ?
- disabling the microphone is another measure. i cant see that Windows10 has the option to disable speakers aside from turning the volume down to 0 for all apps, or for just for the Tor Browser.
- Is running the Tor Browser in a virtual machine kind of overkill to be completely sure of preventing this (and other) cross-browser fingerprinting?
**Trac**:
**Username**: thelamperhttps://gitlab.torproject.org/legacy/trac/-/issues/32886Implement separate treatment of @media interaction features for desktop and a...2020-06-16T01:10:34ZGeorg KoppenImplement separate treatment of @media interaction features for desktop and android@media interaction features got implemented in [Firefox 64](https://bugzilla.mozilla.org/show_bug.cgi?id=1035774). However, the [specified different treatment](https://bugzilla.mozilla.org/show_bug.cgi?id=1035774#c25) for desktop vs. mob...@media interaction features got implemented in [Firefox 64](https://bugzilla.mozilla.org/show_bug.cgi?id=1035774). However, the [specified different treatment](https://bugzilla.mozilla.org/show_bug.cgi?id=1035774#c25) for desktop vs. mobile did not. We should fix that.https://gitlab.torproject.org/legacy/trac/-/issues/32875alpha vs stable branding entropy2020-06-16T01:10:32ZThorinalpha vs stable branding entropySince 8.5a7 (Jan 30th 2019) and 9.0a1+ (Mar 21 2019), TB alpha builds got a different `chrome://branding/content/about-wordmark.svg` - one that says "nightly"
This file can be read and measured: easily distinguishing alpha from stable u...Since 8.5a7 (Jan 30th 2019) and 9.0a1+ (Mar 21 2019), TB alpha builds got a different `chrome://branding/content/about-wordmark.svg` - one that says "nightly"
This file can be read and measured: easily distinguishing alpha from stable users
Note: there will always be **easy** entropy between major ESR versions (such as feature detection changes e.g. between ESR60 vs ESR68).
This is about the (much longer?) periods where alpha and stable are on the same ESR base - like right now. While there will possibly be *some* changes between these, FP'ers would have to work hard and keep up to date: and not all would necessarily be FP'able. Whereas this method (measuring a `contentaccessible` resource) means no upkeep and 100% reliable.
Whether or not TB stays on ESR cycles or moves to 4-weekly cycles has an impact.
For TB alpha users (I assume a small percentage and thus the entropy would be very high), it would be nice to lock this off.
I'm not even sure where this is used, if at all: I don't see it displayed anywhere (it's not in about:tor or Help>About Tor Browser). I'm sure there was a reason it was changed, I just don't know that reason. Would limiting this particular branding to system principal content work?
**PoC**
You can see it in action at https://ghacksuserjs.github.io/TorZillaPrint/TorZillaPrint.html#useragent
The svg is displayed under `[css] branding` and the js determination and measurements are under `[re[/]](/]) browser`
I'll post a pic and leave it up to you guyshttps://gitlab.torproject.org/legacy/trac/-/issues/32861"Fingerprint.js PRO" successfully fingerprints Tor Browser2020-06-16T01:10:30ZTrac"Fingerprint.js PRO" successfully fingerprints Tor BrowserNot affiliated with the site. Demo: https://fingerprintjs.com/demo.
When using Tor Browser 68.3.0esr on macOS Catalina, this site is capable of successfully fingerprinting me across multiple visits with a different identity each time.
...Not affiliated with the site. Demo: https://fingerprintjs.com/demo.
When using Tor Browser 68.3.0esr on macOS Catalina, this site is capable of successfully fingerprinting me across multiple visits with a different identity each time.
Steps to reproduce:
1. Visit https://fingerprintjs.com/demo in the Tor Browser.
2. Click the "New Identity" button.
3. Wait a little bit to avoid timing correlation.
4. Revisit the website.
Screenshot of the fingerprinting: https://i.ibb.co/SvWsP4K/image.png.
A potential solution is taking some features from the "Trace" Firefox add-on (not affiliated): https://addons.mozilla.org/en-US/firefox/addon/absolutedouble-trace/. It prevented Fingerprint.js from successfully fingerprinting anything. Every time I created a "New Identity" in the Tor Browser and visited the website, it gave me a new identifier, with no record of my past visits.
When using the Firefox add-on "Canvas Blocker", Fingerprint.js was still capable of identifying me across identities.
Here are the Trace features I have enabled: https://i.ibb.co/BPCbWCk/image.png.
Here are the advanced Trace features I have enabled: https://i.ibb.co/8bmNYxL/image.png.
**Trac**:
**Username**: printerman22https://gitlab.torproject.org/legacy/trac/-/issues/32843Javascript attributes do not match HTTP headers when using TBB 9.0.2 on Linux2020-06-16T01:10:28ZcypherpunksJavascript attributes do not match HTTP headers when using TBB 9.0.2 on LinuxTBB 9.0.2 on Linux uses the UA
```
Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
```
for HTTP requests, but returns the UA
```
Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
```
when requested ...TBB 9.0.2 on Linux uses the UA
```
Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
```
for HTTP requests, but returns the UA
```
Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
```
when requested by JavaScript.
This can be seen when using the fingerprint viewer at amiunique.orghttps://gitlab.torproject.org/legacy/trac/-/issues/32714Investigate fingerprinting/fpi risks for Feature Policy2020-06-16T01:10:14ZGeorg KoppenInvestigate fingerprinting/fpi risks for Feature Policy[Feature Policy](https://developer.mozilla.org/sv-SE/docs/Web/HTTP/Feature_Policy) got implemented in [Firefox 64ff.](https://bugzilla.mozilla.org/show_bug.cgi?id=1390801)
Feature Policy allows websites by different means (e.g. via the ...[Feature Policy](https://developer.mozilla.org/sv-SE/docs/Web/HTTP/Feature_Policy) got implemented in [Firefox 64ff.](https://bugzilla.mozilla.org/show_bug.cgi?id=1390801)
Feature Policy allows websites by different means (e.g. via the `Feature-Policy` header) to enable/disable plethora of features providing website owners a very fine-grained control over them. We should make sure that our first-party isolation and fingerprinting resistance is not impacted by that.
This feature is only available on nightly by default as of Firefox 73 but that might change soon.
It can be controlled by [two preferences](https://bugzilla.mozilla.org/show_bug.cgi?id=1507230), `dom.security.featurePolicy.header.enabled` and `dom.security.featurePolicy.webidl.enabled`.https://gitlab.torproject.org/legacy/trac/-/issues/32701Keep an eye on fingerprinting risks due to the Reporting API2020-06-16T01:10:13ZGeorg KoppenKeep an eye on fingerprinting risks due to the Reporting API[Support for the Reporting API](https://bugzilla.mozilla.org/show_bug.cgi?id=1492036) landed on nightly in the Firefox 65 cycle. There is already at least [one needed fingerprinting fixup](https://bugzilla.mozilla.org/show_bug.cgi?id=150...[Support for the Reporting API](https://bugzilla.mozilla.org/show_bug.cgi?id=1492036) landed on nightly in the Firefox 65 cycle. There is already at least [one needed fingerprinting fixup](https://bugzilla.mozilla.org/show_bug.cgi?id=1507280) known which we need to take care of when this gets enabled, but there are likely more. A good start for closer investigation is the [Privacy Considerations section](https://w3c.github.io/reporting/#privacy) in the spec itself.
We should keep this feature disabled until the risks are evaluated. This can be done by making sure `dom.reporting.enabled` and `dom.reporting.header.enabled` are `false`https://gitlab.torproject.org/legacy/trac/-/issues/32192Provide input or mitigate W3C Proposal for css-mediaqueries2020-06-16T01:08:39ZcypherpunksProvide input or mitigate W3C Proposal for css-mediaqueriesTBB Team may want to be proactive on an upcoming W3C Proposal for css-mediaqueries as it is already at Level 5 consideration.
Changes include:
* New HTTP Header (Fingerprinting Risk) - https://github.com/w3c/csswg-drafts/issues/4162
*...TBB Team may want to be proactive on an upcoming W3C Proposal for css-mediaqueries as it is already at Level 5 consideration.
Changes include:
* New HTTP Header (Fingerprinting Risk) - https://github.com/w3c/csswg-drafts/issues/4162
* System-wide dark mode setting to automatically toggle based on location-dependent data. https://github.com/w3c/csswg-drafts/issues/4404
> "If implemented naively without taking privacy into account, such a feature combined with prefers-color-scheme could potentially reveal the user's longitude to all websites with a remarkable degree of precision. (Multiple readings over the course of a year might also be able to determine latitude to some extent.)"
Overall this seems like a very bad spec as currently written, and could just as easily be done with current JS rather than forcing time-based tracking into headers and CSS code in all major useragents.https://gitlab.torproject.org/legacy/trac/-/issues/32150nsHttpDigestAuth cnonce exposes rand() values2020-06-16T01:08:34ZAlex CatarineunsHttpDigestAuth cnonce exposes rand() valuesSimilar concerns as #22919.
`rand()` is used to calculate the `cnonce` in https://searchfox.org/mozilla-esr68/rev/8a8a004bc8de67bab762f1dfcea7683ba81311ce/netwerk/protocol/http/nsHttpDigestAuth.cpp#300, which is sent to the server.
Eve...Similar concerns as #22919.
`rand()` is used to calculate the `cnonce` in https://searchfox.org/mozilla-esr68/rev/8a8a004bc8de67bab762f1dfcea7683ba81311ce/netwerk/protocol/http/nsHttpDigestAuth.cpp#300, which is sent to the server.
Even though it's only leaking some bits per `rand()` call, it might still be possible to recover the seed (e.g. with something like https://github.com/Z3Prover/z3, or maybe easier, not sure). Depending on how often `srand` is called this might be equivalent to a session id (per content process?). Well, the usual problems that guessing the seed of a global PRNG has.
I think we should investigate this, or just directly patch as I don't see many drawbacks of having secure random numbers here.https://gitlab.torproject.org/legacy/trac/-/issues/32057Verify that EXT_float_blend WebGL extension is disabled2020-06-16T01:08:23ZGeorg KoppenVerify that EXT_float_blend WebGL extension is disabledSimilar to #26600 there are new WebGL extensions that got introduced since Firefox 60 ESR. In Firefox 67 support for `EXT_float_blend` got introduced in https://bugzilla.mozilla.org/show_bug.cgi?id=1535808.
We should verify that it is...Similar to #26600 there are new WebGL extensions that got introduced since Firefox 60 ESR. In Firefox 67 support for `EXT_float_blend` got introduced in https://bugzilla.mozilla.org/show_bug.cgi?id=1535808.
We should verify that it is disabled.https://gitlab.torproject.org/legacy/trac/-/issues/32013Verify that new WebGL extensions in Firefox 68 ESR are disabled2020-06-16T01:08:11ZGeorg KoppenVerify that new WebGL extensions in Firefox 68 ESR are disabledSimilar to #26600 there are new WebGL extensions that got introduced since Firefox 60 ESR. In Firefox 65 support for [BPTC](https://developer.mozilla.org/en-US/docs/Web/API/EXT_texture_compression_bptc) and [RGTC](https://developer.mozil...Similar to #26600 there are new WebGL extensions that got introduced since Firefox 60 ESR. In Firefox 65 support for [BPTC](https://developer.mozilla.org/en-US/docs/Web/API/EXT_texture_compression_bptc) and [RGTC](https://developer.mozilla.org/en-US/docs/Web/API/EXT_texture_compression_rgtc) got introduced in https://bugzilla.mozilla.org/show_bug.cgi?id=1507263.
We should verify that they are disabled.https://gitlab.torproject.org/legacy/trac/-/issues/31997Investigate possible fingerprinting means via the Streams API2020-06-16T01:08:10ZGeorg KoppenInvestigate possible fingerprinting means via the Streams APIThe [Streams API](https://developer.mozilla.org/en-US/docs/Web/API/Streams_API) landed in Firefox 65 allowing JavaScript to process raw data bit-by-bit as soon as it is available on the client side.
The fingerprinting concerns that imme...The [Streams API](https://developer.mozilla.org/en-US/docs/Web/API/Streams_API) landed in Firefox 65 allowing JavaScript to process raw data bit-by-bit as soon as it is available on the client side.
The fingerprinting concerns that immediately jump out here are triggered by
```
There are more advantages too — you can detect when streams start or end, chain streams together, handle errors and cancel streams as required, and react to the speed of the stream is being read at.
```
We need to check how fine-grained the timers are for starting/ending streams or whether one could get fingerprinted by how fast the client side can process incoming data. There might be more.
The concerns are somewhat mitigated as the big win by combining that API with ServiceWorkers is not available to Firefox 68 ESR.
The bug where this got enabled is: https://bugzilla.mozilla.org/show_bug.cgi?id=1505122.https://gitlab.torproject.org/legacy/trac/-/issues/31900Investigate cache/network racing for fingerprinting concerns2020-06-16T01:07:51ZGeorg KoppenInvestigate cache/network racing for fingerprinting concernsA while back (https://bugzilla.mozilla.org/show_bug.cgi?id=1392841) a feature landed that implements racing between cache and network to get a resource loaded faster. I wonder whether that could be used to fingerprint users in a) a Tor B...A while back (https://bugzilla.mozilla.org/show_bug.cgi?id=1392841) a feature landed that implements racing between cache and network to get a resource loaded faster. I wonder whether that could be used to fingerprint users in a) a Tor Browser default context and b) outside of Tor Browser's permanent private browsing mode.