Tor Browser issueshttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues2022-11-17T18:25:02Zhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/31064Letterboxing is enabled in priviledged contexts too2022-11-17T18:25:02ZcypherpunksLetterboxing is enabled in priviledged contexts tooIt seems harmless, isn't it? Or is it because some JS may be used to capture screen size with PDFs? For view-source: I can't think of any scenario.It seems harmless, isn't it? Or is it because some JS may be used to capture screen size with PDFs? For view-source: I can't think of any scenario.Sponsor 131 - Phase 5 - Ongoing Maintenancema1ma1https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/30802DOMParser errors leak locale2020-06-27T14:33:22ZAlex CatarineuDOMParser errors leak localeWhile writing a test for legacy/trac#30304 I found (yet) another way to get browser locale:
```
const doc = (new DOMParser).parseFromString('getyourlocale', 'application/xhtml+xml');
alert(doc.getElementsByTagName('parsererror')[0].firs...While writing a test for legacy/trac#30304 I found (yet) another way to get browser locale:
```
const doc = (new DOMParser).parseFromString('getyourlocale', 'application/xhtml+xml');
alert(doc.getElementsByTagName('parsererror')[0].firstChild.textContent);
```
test: https://acatarineu.github.io/fp/locale_domparser_error.htmlhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/30800ftp:// on Windows can be used to leak the system time zone2020-06-27T14:33:22ZGeorg Koppenftp:// on Windows can be used to leak the system time zonez3t reported via HackerOne that the system time zone on Windows can get leaked by using ftp://.
```
When using the ftp:// protocol, directory listings contain timestamps converted to the system timezone.. These timestamps can be extracte...z3t reported via HackerOne that the system time zone on Windows can get leaked by using ftp://.
```
When using the ftp:// protocol, directory listings contain timestamps converted to the system timezone.. These timestamps can be extracted by a script on a same-origin FTP hosted HTML page, allowing detection of a user's system timezone.
```https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/30683Properties in dom/locales/$lang/chrome/ allow detecting user locale2023-11-20T07:25:28ZGeorg KoppenProperties in dom/locales/$lang/chrome/ allow detecting user localez3t reported a bunch of issues on HackerOne regarding detection of user locale with the help of `dom/locales/$lang/chrome/` properties. PoCs done by z3t:
`dom/dom.properties`: https://people.torproject.org/~gk/tests/tor_form_locale_leak...z3t reported a bunch of issues on HackerOne regarding detection of user locale with the help of `dom/locales/$lang/chrome/` properties. PoCs done by z3t:
`dom/dom.properties`: https://people.torproject.org/~gk/tests/tor_form_locale_leak.html
`layout/xmlparser.properties`: https://people.torproject.org/~gk/tests/tor_domparser_locale_leak.html
`layout/MediaDocument.properties`: https://people.torproject.org/~gk/tests/tor_image_locale_leak.htmlhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/30657Tor Browser locale is leaked via title of link tag on non-html page2020-06-27T14:33:27ZGeorg KoppenTor Browser locale is leaked via title of link tag on non-html pageryotak reported via our HackerOne bug bounty program that the Tor Browser locale is leaked via the title of the link tag on any non-html page.
For a test ryotak came up with see: https://people.torproject.org/~gk/tests/tor_plaintext_loc...ryotak reported via our HackerOne bug bounty program that the Tor Browser locale is leaked via the title of the link tag on any non-html page.
For a test ryotak came up with see: https://people.torproject.org/~gk/tests/tor_plaintext_locale_leak.html.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/30655Date.now() and friends should not get clamped to 100ms in a WebExtensions con...2023-11-08T02:12:00ZGeorg KoppenDate.now() and friends should not get clamped to 100ms in a WebExtensions contextWe clamp `Date.now()` etc. to 100ms as a fingerprinting defense against high-resolution timers. But that should not affect the working of WebExtensions. See: comment:10:ticket:30624 for more contextWe clamp `Date.now()` etc. to 100ms as a fingerprinting defense against high-resolution timers. But that should not affect the working of WebExtensions. See: comment:10:ticket:30624 for more contexthttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/30647Letterboxing and Scrollbars Dimensions2020-06-27T14:33:27ZTracLetterboxing and Scrollbars DimensionsLetterboxing's reason of existence is to improve the users' privacy by reducing yet another fingerprinting bit. But the solution isn't perfect - there are many operating systems and window managers, and countless themes. And every one of...Letterboxing's reason of existence is to improve the users' privacy by reducing yet another fingerprinting bit. But the solution isn't perfect - there are many operating systems and window managers, and countless themes. And every one of them can have different scrollbar dimensions - which helps to fingerprint the user.
For example, in a page with a vertical scrollbar my window widths is being reported as 984px instead of 1000px with Tor Browser's "content window dimensions rounding" (legacy/trac#14429), or 1184px instead of 1200px with FF67's letterboxing.
Would it be possible to maybe move the scrollbars (both vertical and horizontal) out of the "letterbox"?
**Trac**:
**Username**: edgewallhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/30625new window dimensions are affected by dpi2023-01-13T07:58:25ZTracnew window dimensions are affected by dpiI read the other tickets, which all relate to enabling the toolbar.
But my Tor Browser also deviates at default, so I decided to post it as well.
I have verified these results with a fresh install of Tor Browser 8.5
The detected resolut...I read the other tickets, which all relate to enabling the toolbar.
But my Tor Browser also deviates at default, so I decided to post it as well.
I have verified these results with a fresh install of Tor Browser 8.5
The detected resolution is **1004x801**. (with toolbar it's 1004x796)
Any further info you need?
I would like to know, if this is "normal" (given the toolbar/resize bug), and all users have it. Or if not, I wonder what the cause might be (what I can do to fix this). Obviously I am in a bit of a panic, afraid this makes my fingerprint unique among Tor users, and has been potentially doing so for a long time.
**Trac**:
**Username**: Rickma1ma1https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/30589Tor Browser on Windows is lacking fonts to render some kind of scripts.2022-09-23T09:22:29ZAadi BajpaiTor Browser on Windows is lacking fonts to render some kind of scripts.Works on the Android app.
Hindi and Tamil fonts fail to render as seen on Wikipedia, might be other common languages may not be supported as well but I haven't looked further into it.
![https://i.imgur.com/KhpCUyp.png](https://i.imgur...Works on the Android app.
Hindi and Tamil fonts fail to render as seen on Wikipedia, might be other common languages may not be supported as well but I haven't looked further into it.
![https://i.imgur.com/KhpCUyp.png](https://i.imgur.com/KhpCUyp.png)Pier Angelo VendramePier Angelo Vendramehttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/30556Re-evaluate letterboxing dimension choices2023-10-03T15:37:50ZTom Rittertom@ritter.vgRe-evaluate letterboxing dimension choicesAt some point, maybe we should reconsider our choice for letterboxing dimensions.
This ticket is primarily to serve as a place to attach my ipython script for safekeeping for years from now.At some point, maybe we should reconsider our choice for letterboxing dimensions.
This ticket is primarily to serve as a place to attach my ipython script for safekeeping for years from now.Sponsor 131 - Phase 5 - Ongoing Maintenancema1ma1https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/30542Investigate fingerprinting capability of viewport API2022-01-31T16:44:51ZThorinInvestigate fingerprinting capability of viewport APII am not sure if this is an issue for TB. I do not have a touch device on which to install TB8. But since Tor Uplift's RFP underlines this protection, it might be prudent for someone to check it out.
My Android has a low screen res, the...I am not sure if this is an issue for TB. I do not have a touch device on which to install TB8. But since Tor Uplift's RFP underlines this protection, it might be prudent for someone to check it out.
My Android has a low screen res, the web content loads at a higher res - when I pinch to zoom and re-run/refresh: the viewport shows entropy. Ignore the css media measurements. Just focus on the five JS results: screen, available screen, outer, inner and viewport
Control
- device should not be hidpi/retina/whatever-you-call-it
- load test page [1]
- all the widths/heights (except viewport: e.g 17px less width) should be the same (i.e `1000 x 1000`)
- zoom in to `133%`
- refresh or rerun button
- all the widths/heights (except viewport e.g 13px less width) should be the same (e.g `750 x 750`)
STR
- device should be hidpi
- load the test page
- all the widths/heights (except viewport) should be the same (e.g `980 x 1522`)
- zoom in (fingers on a touch device)
- scroll to the left and hit `re-run tests`
- scroll back to the right and viewport is still based on the old value
- also, in the pic in [2] css media still shows it's using the old values (`980`) (ignore that it's missing the height values: not sure why it does that: I think it's because it hits a fraction, I see the same thing on desktop)
Is this just a quirk? Or is the viewport not properly spoofed in all situations?
[1] https://ghacksuserjs.github.io/TorZillaPrint/TorZillaPrint.html#screen
[2] https://github.com/ghacksuserjs/TorZillaPrint/issues/34https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/30541webgl readPixels FP entropy2020-06-27T14:33:33ZThorinwebgl readPixels FP entropy**readPixels** is not covered by RFP (see https://bugzilla.mozilla.org/show_bug.cgi?id=1428034 ) and using my tests [1], on windows I get entropy. Not sure if unique or just OS.
- Windows 7 32bit `2ba61e7e8e370fdbcefb79456e7e944b060f342...**readPixels** is not covered by RFP (see https://bugzilla.mozilla.org/show_bug.cgi?id=1428034 ) and using my tests [1], on windows I get entropy. Not sure if unique or just OS.
- Windows 7 32bit `2ba61e7e8e370fdbcefb79456e7e944b060f34289af33732aa6eb75af61ff06c`
- Windows 7 64bit `ac9aa378cd16219ecbcb6ec46b57d8a484ac8ad61cbe63c810b40fb2c741e7f3`
- Windows10 64bit `c4ef81818ccaca2c4933f63c45bf5ffaaa7f2233f2761e3c6ba14a9e5cb82c25`
It seems to be consistent on Linux, and Mac i have no idea: here's some data
- Mint Cinnamon 32/64bit `not supported`
- Ubuntu GNOME `5abc446cce2558be83bfe60baeb6dc7ff2a17635057c4612fe835649e7c77329`
- Debian GNOME `5abc446cce2558be83bfe60baeb6dc7ff2a17635057c4612fe835649e7c77329`
- Mac 10.14 `96f2538daa8a0a180f77a13d80ad455a75ae17c5495ce90fa4fd4267cbfd5210`
So besides windows OS entropy, theres at least two buckets for Linux?
gk said
> Interestingly, I get your macOS one on one of my Linux boxes.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/30532font FP reveals different Windows releases2022-03-23T04:19:19ZThorinfont FP reveals different Windows releasesbased on Arthur's work [1], I have been looking at the enumerate fonts FP for TB 8 and 8.5a and various platforms.
[1] https://ghacksuserjs.github.io/TorZillaPrint/TorZillaPrint.html#fonts
^^ just click run tests, and the only test I h...based on Arthur's work [1], I have been looking at the enumerate fonts FP for TB 8 and 8.5a and various platforms.
[1] https://ghacksuserjs.github.io/TorZillaPrint/TorZillaPrint.html#fonts
^^ just click run tests, and the only test I have actually added is the one we're concerned about
- Linux distros all seem to be the same - I will test more
- I do not have a Mac, but I do have one result, should anyone like to contribute, and I don't think Macs would vary
- But I found Windows (so far in three out 3 cases) is revealing the major version and maybe the architecture. I believe this might be fixed by looking at the font whitelist, but Windows 10 is a rather drastic change (at least from Win7).
- I will try and get Win10-32bit, Win8.1 32+64bit results to build a complete picture of Windows font entropy. **If you can provide it instead of me trying to find isos and setting up more VMs, then please do**
So here are some results (8.0.9, 8.5a12)
- Win 7 32bit: `9e5d39b4542cd5e2a19f73b8fa566e679fa561e5` (62 fonts)
- Win 7 64bit: `ad4ccd607603041d3e89aa8e03e2e203fc184653` (61 fonts)
- Win8.1 32bit: please help
- Win8.1 64bit: please help
- Win 10 32bit: please help
- win 10 64bit: `1389aaf4c97027b8157c5fb9ef5ed6f141a6b8a1` (36 fonts)
also, FYI
- mint (32/64bit), ubuntu, debian: `09a4ee037c9082b9b8f0b7ae981c656d517faffa`
- mac 10.14: `4094aedc000205c711385fad32827e60462976dc`
Note that the 1 font difference between Win7 32 and 64 bit is just the count, there are actually three changes. I will post the font lists for the three windows results in the next posthttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/30427Tor Bowser locale can be detected with FTP2021-12-16T07:38:16ZGeorg KoppenTor Bowser locale can be detected with FTPxiaoyinl reported on HackerOne that the Tor Browser locale can be detected with FTP:
```
If a visitor navigates to a directory on a FTP server, Tor Browser shows a page displaying the directory tree. However, the source code of this page...xiaoyinl reported on HackerOne that the Tor Browser locale can be detected with FTP:
```
If a visitor navigates to a directory on a FTP server, Tor Browser shows a page displaying the directory tree. However, the source code of this page is generated by Tor Browser, rather than the server, because an FTP server only sends file info and the browser displays it in a nice format. Moreover, the FTP directory page is localized, even if the user has chosen not to reveal his/her UI language, i.e. privacy.spoof_english == 2.
```https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/30372Backport Letterboxing2020-06-27T14:33:42ZTom Rittertom@ritter.vgBackport LetterboxingHere's the set of patches, in order, for the esr60 backport:
https://hg.mozilla.org/try/rev/744a475c948ee8c987d43a6348deca5e9a4a5a61
https://hg.mozilla.org/try/rev/feeb219584667f53e2c6cd2ddcfcaa89fb6ee243
https://hg.mozilla.org/try/rev/...Here's the set of patches, in order, for the esr60 backport:
https://hg.mozilla.org/try/rev/744a475c948ee8c987d43a6348deca5e9a4a5a61
https://hg.mozilla.org/try/rev/feeb219584667f53e2c6cd2ddcfcaa89fb6ee243
https://hg.mozilla.org/try/rev/a550c321f24c823efcb2e8033e6c802f9cd6e44b
https://hg.mozilla.org/try/rev/a5d945dd5b7070c810b93eddd0232d646b73fc2d
https://hg.mozilla.org/try/rev/b58bfc0bdc2451715ec895fbd06f40061fa301f9
https://hg.mozilla.org/try/rev/1b23145ed904be055bf0efe1000e03ec50c02cb3
https://hg.mozilla.org/try/rev/0b1eef9eeb06668fc06b3b4d877daaf957c3c1dahttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/30304Browser locale can be obtained via DTD strings2020-10-16T16:22:27ZAlex CatarineuBrowser locale can be obtained via DTD stringsSee https://bugzilla.mozilla.org/show_bug.cgi?id=467035.
Works in Tor Browser and Firefox 67 (with a different dtd file as in the bugzilla PoC), probably also next ESR.
Did not do a PoC but it would be easy to get a specific string in ...See https://bugzilla.mozilla.org/show_bug.cgi?id=467035.
Works in Tor Browser and Firefox 67 (with a different dtd file as in the bugzilla PoC), probably also next ESR.
Did not do a PoC but it would be easy to get a specific string in all locales, and just compare with value obtained via a hidden iframe that loads an xml with the translated string.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/30135Make all TBB users not stand out from each other2020-06-27T14:33:48ZcypherpunksMake all TBB users not stand out from each other1. Useragent MUST be same for every platform, no OS differences.
2. Useragent MUST NOT leak version of TB, use same for any version. Let non-updated version also use a newer Useragent string without upgrade. To not stand out from alread...1. Useragent MUST be same for every platform, no OS differences.
2. Useragent MUST NOT leak version of TB, use same for any version. Let non-updated version also use a newer Useragent string without upgrade. To not stand out from already updated users. For not making attractive for version targeted exploits. By simply not reporting it but mask it.
3. Useragent SHOULD look more common to regular FireFox. Avoid block ability by fingerprint. Make access logs not stand out as TB user.
?. For 1. the Useragent MAY differ only reason is on Mobile platform for Ability of telling website mobile version is proffered delivered... or is there a better way to receive websites mobile version?
May implement Useragent overriding string. Whatever OS or version they actually use. May fetching by startup from http://rqef5a5mebgq46y5.onion/ to make sure all users use the same. Independed of any other case.
All requests coming out of Exit or going to HS should look as could be from same person. Not differentiation by OS of user. For example, Bad guard or watched guard nodes could look in TCP fingerprinting OS in entry connection and match it with Service/exit used in useragent. making to find a needle in a haystack to a more little haystack actually.
Current situation: For what reason hs needs to know os? Not!https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/29997Add a "?" besides setting that could help fingerprinting you if changed2021-10-13T21:11:54ZTracAdd a "?" besides setting that could help fingerprinting you if changedAn interactive GUI "What not to do" guide that explains what should be avoided.
A "(?)" beside a setting should explain what happens if you, for example. Remove all the Search Engines from the list, if that could create a unique fingerp...An interactive GUI "What not to do" guide that explains what should be avoided.
A "(?)" beside a setting should explain what happens if you, for example. Remove all the Search Engines from the list, if that could create a unique fingerprint. Or changing the Default Search Engine.
I recently figured out that the Bookmarks Toolbar was changing my Window Size without me knowing. That I have been using on websites for months. Changing the Bookmarks/History to a popup window would be better maybe? Or simply have the blank page after opening a new tab contain all your bookmarks.
**Trac**:
**Username**: namihttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/29808Add button to return to default Tor Browser window size2020-06-27T14:33:59ZstephwAdd button to return to default Tor Browser window sizeUser request from social media:
"please add a button that changes the browser window size to the default Tor browser size so that in case we mistakenly resize it, we can go back to the default size"User request from social media:
"please add a button that changes the browser window size to the default Tor browser size so that in case we mistakenly resize it, we can go back to the default size"https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/29566math.cos reveals OS2020-06-27T14:34:05ZThorinmath.cos reveals OS**part1: background / obsolete code?**
I can't find the old ticket, but it's probably relevant- it was about the implementation of higher math functions
see: https://ghacksuserjs.github.io/TorZillaPrint/TorZillaPrint.html#math
also see...**part1: background / obsolete code?**
I can't find the old ticket, but it's probably relevant- it was about the implementation of higher math functions
see: https://ghacksuserjs.github.io/TorZillaPrint/TorZillaPrint.html#math
also see: https://fpcentral.tbb.torproject.org/fp
However (unless I made a mistake), I see **no difference** in these returned values in a vanilla ESR60, or FF60 thru to 66 as compared to Tor Browser. So I am not sure if the old patch is still required, or has even been rebased.
asinh(1) `0.8813735870195429`
acosh(1e300) `Infinity`
atanh(0.5) `0.5493061443340548`
expm1(1) `1.7182818284590455`
cbrt(100) `4.641588833612778`
log1p(10) `2.3978952727983707`
sinh(1) `1.1752011936438016`
cosh(10) `11013.232920103324`
tanh(1) `0.7615941559557649`
**part2: math.cos Windows: FF vs TB**
results: see attachment
test: https://thorin-oakenpants.github.io/testing/ (for as long as I leave it there)
I do not know if that ticket/patch causes this, but there is a difference between TB vs FF for no discernible reason (e.g Linux doesn't differ between FF and TB)
Look at the first result. FF: `minus 0.374...` vs TB `plus 0.840...`
**part3: math.cos reveals platform**
finally, to the meat and potatoes. See attachment. I'm using math.cos because it always returns a value between -1 and 1 (i.e no NaN or Infinity). The following tests show that, so far, the last four values can be used to detect windows or Linux, and so far one Android major version (v5.*). I am fully expecting the first four value to betray other Android and macOS/macOS X. My testing is incomplete, but enough to prove os FP'ing