Tor Browser issueshttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues2022-11-29T15:36:22Zhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/31917Investigate shipping bundled fonts on Android2022-11-29T15:36:22ZMatthew FinkelInvestigate shipping bundled fonts on AndroidIn legacy/trac#31881 we found the correct method for shipping bundled fonts in Tor Browser on Android.
1. Do we need to ship bundled fonts?
1. Which fonts should be ship?
1. How do these impact apk size?
1. How does this impact language...In legacy/trac#31881 we found the correct method for shipping bundled fonts in Tor Browser on Android.
1. Do we need to ship bundled fonts?
1. Which fonts should be ship?
1. How do these impact apk size?
1. How does this impact language support?https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/31900Investigate cache/network racing for fingerprinting concerns2023-01-05T17:34:28ZGeorg KoppenInvestigate cache/network racing for fingerprinting concernsA while back (https://bugzilla.mozilla.org/show_bug.cgi?id=1392841) a feature landed that implements racing between cache and network to get a resource loaded faster. I wonder whether that could be used to fingerprint users in a) a Tor B...A while back (https://bugzilla.mozilla.org/show_bug.cgi?id=1392841) a feature landed that implements racing between cache and network to get a resource loaded faster. I wonder whether that could be used to fingerprint users in a) a Tor Browser default context and b) outside of Tor Browser's permanent private browsing mode.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/31324Spoof the Tor Browser time displayed to websites if clocks are wrong2023-01-05T17:34:17ZcypherpunksSpoof the Tor Browser time displayed to websites if clocks are wrongJavascript can be used to get the system time of a user. This allows for fingerprinting via different clock offsets and skews. This also may allow websites to determine the user's location by seeing which country has the same time as the...Javascript can be used to get the system time of a user. This allows for fingerprinting via different clock offsets and skews. This also may allow websites to determine the user's location by seeing which country has the same time as the user.
Currently, the Tor Browser spoofs the timezone displayed to websites to UTC but this doesn't spoof the actual system time which can still be gotten with `new Date()`.
The Tor Browser should spoof the time shown to websites so all Tor Browser users have the same time or a random time.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/30970newwin: Different window borders in XFCE can lead to different, not rounded w...2024-03-12T09:04:47ZGeorg Koppennewwin: Different window borders in XFCE can lead to different, not rounded window sizesThe Murrine theme is fine but if you e.g. chose Default XHDPI then you won't get a properly rounded window anymore. Letterboxing does only help here once it kicks in which is only the case as soon as the window gets resized.
Reported by...The Murrine theme is fine but if you e.g. chose Default XHDPI then you won't get a properly rounded window anymore. Letterboxing does only help here once it kicks in which is only the case as soon as the window gets resized.
Reported by a cypherpunk.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/30913Tor Browser for Android uses ugly fonts on websites2024-03-06T09:18:26ZTracTor Browser for Android uses ugly fonts on websitesThe new TBA is using wrong fonts on sites, and some of internal pages like "server not found" or about:tor page.
Affected versions:
- Tor Browser for Android
- Tor Browser for Android alpha
Both from Google Play and both reports as 60....The new TBA is using wrong fonts on sites, and some of internal pages like "server not found" or about:tor page.
Affected versions:
- Tor Browser for Android
- Tor Browser for Android alpha
Both from Google Play and both reports as 60.7.0esr in about:version and 60.7.0 in Google Play.
Affected devices and firmware:
- Sony Xperia X Performance (Stock Sony 41.3.A.2.107, Android 8.0). I also tried TBA right after full phone reset - everything the same
- Samsung Galaxy A70 (Don't know the exact firmware build, but it's stock Samsung Android 9.0) - things are better, but still affected. For example, about:tor page shows latin characters in Courier New and some other sites too.
Not affected devices and firmware that I tested:
- Sony Xperia SP (Stock Sony Android 4.3) - not affected
- Sony Xperia J (Stock Sony 11.2.A.0.31, Android 4.1) - not affected
Default Firefox 67.0.2 is not affected.
Orfox not affected.
**Trac**:
**Username**: raxphttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/3086210ms time precision via EXSLT date-time function2023-01-05T17:33:57ZGeorg Koppen10ms time precision via EXSLT date-time functionz3t reported at HackerOne that the EXSLT date-tme function is subverting our patches that set the timing granularity to 100ms. We get at least a 10ms precision that way. PoC is on https://people.torproject.org/~gk/tests/tor_xml_time.html...z3t reported at HackerOne that the EXSLT date-tme function is subverting our patches that set the timing granularity to 100ms. We get at least a 10ms precision that way. PoC is on https://people.torproject.org/~gk/tests/tor_xml_time.html. And see dom/xslt/xslt/txEXSLTFunctions.cpp for the `date:date-time` implementation.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/30606Default search engine changes based on localization on Android2022-07-14T00:20:05ZMatthew FinkelDefault search engine changes based on localization on AndroidA [blog user](https://blog.torproject.org/comment/281839#comment-281839) mentions the default search engine changes based on the selected locale (or the system locale if it is not en-US).
This is coming from [here](https://gitweb.torpro...A [blog user](https://blog.torproject.org/comment/281839#comment-281839) mentions the default search engine changes based on the selected locale (or the system locale if it is not en-US).
This is coming from [here](https://gitweb.torproject.org/tor-browser.git/tree/mobile/locales/search/list.json?h=tor-browser-60.7.0esr-8.5-1#n626) (but I'm not sure why it's the default search engine, instead of Google, in this case).https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/30543device orientation leaks2023-05-02T03:02:10ZThorindevice orientation leaksRFP spoofs landscape on devices
However css @media orientation and also matchMedia leak - see upcoming attached pic where RFP=on, the phone is in reality in portrait mode. Orientation = landscape (spoofed), but the others say otherwise
...RFP spoofs landscape on devices
However css @media orientation and also matchMedia leak - see upcoming attached pic where RFP=on, the phone is in reality in portrait mode. Orientation = landscape (spoofed), but the others say otherwise
**mdn** (this is what gets spoofed)
https://developer.mozilla.org/en-US/docs/Web/API/Screen/orientation#Example
```
var orientation = screen.msOrientation || (screen.orientation || screen.mozOrientation
```
**css** (leaks)
```
@media (orientation:portrait){#YourID:after{content:"portrait";}}
@media (orientation:landscape){#YourID:after{content:"landscape";}}
```
**matchMedia** (leaks)
```
if (window.matchMedia("(orientation: portrait)").matches) return "portrait";
if (window.matchMedia("(orientation: landscape)").matches) return "landscape";
```
[1] https://ghacksuserjs.github.io/TorZillaPrint/TorZillaPrint.html#screenhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/30537WebGL fingerprint is different between Windows versions (and compared to non-...2023-11-06T21:17:34ZGeorg KoppenWebGL fingerprint is different between Windows versions (and compared to non-Windows OSes)This is a spin-off of legacy/trac#30531 where it got realized that the Windows WebGL fingerprint measured e.g. by Pantopiclick is different from the Linux one(s).This is a spin-off of legacy/trac#30531 where it got realized that the Windows WebGL fingerprint measured e.g. by Pantopiclick is different from the Linux one(s).https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/30531WebGL antialiasing support enabled iff. OpenGL is supported2023-11-04T01:16:27ZintrigeriWebGL antialiasing support enabled iff. OpenGL is supportedWith Tor Browser 8.5-build2, we see 2 different WebGL fingerprints on panopticlick: 2ef68bcd75e09a41aea04bae556f3ecc on bare metal and in VMs that support OpenGL acceleration, f9a0f737691a9b57f5294121fc58a2df in VMs that don't support Op...With Tor Browser 8.5-build2, we see 2 different WebGL fingerprints on panopticlick: 2ef68bcd75e09a41aea04bae556f3ecc on bare metal and in VMs that support OpenGL acceleration, f9a0f737691a9b57f5294121fc58a2df in VMs that don't support OpenGL acceleration.
Quoting segfault (from https://redmine.tails.boum.org/code/issues/16337#note-61) who investigated this further:
"I looked at the JS code used by panopticlick to calculate this hash, and printed the values which go into the hash. The only difference I could find is that antialiasing is enabled iff OpenGL is enabled. (That's exposed via the antialias bool of gl.getContextAttributes(), see https://developer.mozilla.org/en-US/docs/Web/API/WebGLRenderingContext/getContextAttributes)."
Impact: 1 bit of fingerprinting; risk: nowadays I would assume the huge majority of bare metal systems that can run TB have OpenGL, but most VMs haven't (unless geeky configuration is done, which is a minority). So it's roughly equivalent to splitting the anonymity set between VMs and bare metal, I'd say.
GeKo says:
> i guess we could think about making the antialiasing info uniform
> like, just saying "no"https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/30392CSS features allow real-time tracking2023-01-05T17:32:45ZTracCSS features allow real-time trackingCSS features like :hover, :focus, and [value] queries in combination with background image changes allow for the collection of nearly every action a visitor makes on a web page in real-time without JavaScript. Aside from the obvious cree...CSS features like :hover, :focus, and [value] queries in combination with background image changes allow for the collection of nearly every action a visitor makes on a web page in real-time without JavaScript. Aside from the obvious creep factor this could be used to fingerprint visitors. The attack can be implemented in third party CSS (CSS-XSS).
Proof of Concept: https://twitter.com/davywtf/status/1124146339259002881
Code for proof: https://gist.github.com/wybiral/c8f46fdf1fc558d631b55de3a0267771
Beyond simply fingerprinting based on browsing behavior an attacker could also determine the referring page based on the mouse position at page load.
Solutions to fix the problem would break some aesthetic functionality (i.e. no more :hover image changes) but at that cost it would be trivial to prevent.
Ideally we could eliminate all types of asset requests (e.g. image changes) in all types of pseudo-class selectors or prefetch all asset requests on page load. But that proposal sounds bigger than Tor Browser.
**Trac**:
**Username**: davywtfhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/29745Exposed chrome:// resources can leak point releases, confirmed can leak app l...2024-03-03T00:39:25ZTracExposed chrome:// resources can leak point releases, confirmed can leak app languageThe default permissions defined in the chrome.manifest file allow specific paths to be called from any web page. For example, chrome://browser/content/* or chrome://global/content/*.
**For references see** https://bugzilla.mozilla.or...The default permissions defined in the chrome.manifest file allow specific paths to be called from any web page. For example, chrome://browser/content/* or chrome://global/content/*.
**For references see** https://bugzilla.mozilla.org/show_bug.cgi?id=1534581
**Trac**:
**Username**: flngerprlntSponsor 131 - Phase 2 - Privacy BrowserPier Angelo VendramePier Angelo Vendramehttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/29563css line-height revisted [at least zoom and linux]2024-03-26T18:25:16ZThorincss line-height revisted [at least zoom and linux]The mozilla upstream ticket is https://bugzilla.mozilla.org/show_bug.cgi?id=1397994
Following on from legacy/trac#23104, it seems that when applied on various (preset) zoom levels, that there are differences between Windows and Linux (I...The mozilla upstream ticket is https://bugzilla.mozilla.org/show_bug.cgi?id=1397994
Following on from legacy/trac#23104, it seems that when applied on various (preset) zoom levels, that there are differences between Windows and Linux (I do not have any macOS or macOS X machines to test on)
Tor Browser (and RFP in Firefox) actively ignores site specific zoom levels, and new tabs/windows will open at 100% zoom. But that does not stop someone from using zoom, and indeed the setting stays for the current tab when re-used (even when the domain changes - i.e it is a per tab setting in this context). Examples are poorly designed websites, small devices, users with poor eyesight - where the user is effectively forced to zoom (in or out)
Looking at some test results: I used https://ghacksuserjs.github.io/TorZillaPrint/TorZillaPrint.html#useragent - see the `css line-height` field (and feel free to zoom and refresh) - also see the attachment for some spreadsheet results (png), which is not definitive, but enough to draw some conclusions.
Clearly the mitigation in Windows covered all zoom settings, so was this a design decision? In Linux, it seems as if zoom was only factored in for `50`, `100`, `150`, `200`, and `300` (of the preset zoom levels). Is this because of some limitation in Linux?
As a result, so far, at least 8 zoom levels in TBB on Linux are unique and leak the OS as Linux. The 9th zoom level not covered (`30%`) is not unique in Firefox overall, but is unique on Tor Browser (it is trivial to detect if Tor Browser is being used, so this is in effect a unique value as well)
Note: for Tor Browser, you're not concerned with the Firefox values, I'm just showing them so you can see that outside of 100% zoom, without FP'ing protection, some results are not necessarily OS specific: e.g. FF62+ Windows and Linux are identical at `50`, `67`, `80`, `90`, `150`, and `240%`.Sponsor 131 - Phase 5 - Ongoing Maintenancehttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/28621Investigate "website fingerprinting through cache occupancy channel"2023-01-05T17:31:44ZArthur EdelsteinInvestigate "website fingerprinting through cache occupancy channel"See this paper:
https://arxiv.org/abs/1811.07153
> Robust Website Fingerprinting Through the Cache Occupancy Channel
> Anatoly Shusterman, Lachlan Kang, Yarden Haskal, Yosef Meltser, Prateek Mittal, Yossi Oren, Yuval Yarom
> (Submitted...See this paper:
https://arxiv.org/abs/1811.07153
> Robust Website Fingerprinting Through the Cache Occupancy Channel
> Anatoly Shusterman, Lachlan Kang, Yarden Haskal, Yosef Meltser, Prateek Mittal, Yossi Oren, Yuval Yarom
> (Submitted on 17 Nov 2018)
>
> Website fingerprinting attacks, which use statistical analysis on network traffic to compromise user privacy, have been shown to be effective even if the traffic is sent over anonymity-preserving networks such as Tor. The classical attack model used to evaluate website fingerprinting attacks assumes an on-path adversary, who can observe all traffic traveling between the user's computer and the Tor network. In this work we investigate these attacks under a different attack model, inwhich the adversary is capable of running a small amount of unprivileged code on the target user's computer. Under this model, the attacker can mount cache side-channel attacks, which exploit the effects of contention on the CPU's cache, to identify the website being browsed. In an important special case of this attack model, a JavaScript attack is launched when the target user visits a website controlled by the attacker. The effectiveness of this attack scenario has never been systematically analyzed,especially in the open-world model which assumes that the user is visiting a mix of both sensitive and non-sensitive sites. In this work we show that cache website fingerprinting attacks in JavaScript are highly feasible, even when they are run from highly restrictive environments, such as the Tor Browser .Specifically, we use machine learning techniques to classify traces of cache activity. Unlike prior works, which try to identify cache conflicts, our work measures the overall occupancy of the last-level cache. We show that our approach achieves high classification accuracy in both the open-world and the closed-world models. We further show that our techniques are resilient both to network-based defenses and to side-channel countermeasures introduced to modern browsers as a response to the Spectre attack.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/28535Spoof touch capabilities such that all Tor Browser users claim to support tou...2024-01-08T09:09:43ZGeorg KoppenSpoof touch capabilities such that all Tor Browser users claim to support touch and the maximum number of touch points**Original**:
>>>
We disabled `dom.w3c_touch_events.enabled` in legacy/trac#10286 as a defense-in-depth against fingerprinting while providing a patch to neuter the risk here as well. The patch got upstreamed in https://bugzilla.mozilla...**Original**:
>>>
We disabled `dom.w3c_touch_events.enabled` in legacy/trac#10286 as a defense-in-depth against fingerprinting while providing a patch to neuter the risk here as well. The patch got upstreamed in https://bugzilla.mozilla.org/show_bug.cgi?id=1382499 and made it into Firefox 60 ESR.
We should think about whether we should enable the preference again for desktop platforms. We start doing that for Android with legacy/trac#27256.
>>>
**Edit**: We should go with 'Option B' as outlined in @thorin's post here: https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/28535#note_2848069https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/28374ensure RequestStorageId cannot be accessed remotely2023-01-05T17:31:31ZMark Smithensure RequestStorageId cannot be accessed remotelyIn https://bugzilla.mozilla.org/show_bug.cgi?id=1420836 (for Firefox 59), Mozilla added a GMP API that appears to return a machine identifier (maybe based on MAC address). Is there any chance this could be accessed by a remote site and u...In https://bugzilla.mozilla.org/show_bug.cgi?id=1420836 (for Firefox 59), Mozilla added a GMP API that appears to return a machine identifier (maybe based on MAC address). Is there any chance this could be accessed by a remote site and used as a unique fingerprint? Or do we disable enough of EME/GMP code that this is not a concern?https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/28149Limit or Restrict GetAndroidSystemInfo2022-07-09T21:09:40ZTom Rittertom@ritter.vgLimit or Restrict GetAndroidSystemInfoOn Android, the PContent IPC method GetAndroidSystemInfo will return detailed information about the user's hardware. We should probably limit or restrict this.
As far as I can tell, none of the information is uniquely identifying (like ...On Android, the PContent IPC method GetAndroidSystemInfo will return detailed information about the user's hardware. We should probably limit or restrict this.
As far as I can tell, none of the information is uniquely identifying (like a serial number) - but it does contained detailed phone hardware information like Model, Manufacturer, Build Version, SDK versions, etc.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/27501Local color override broken with 8.0 update2023-11-05T04:27:06ZTracLocal color override broken with 8.0 updateFirefox has a settings for overriding website color choices with local choices.
These are found under about:preferences -> Fonts & Colors -> Colors... or alternative under about:config -> browser*color
Forcing local colors appears to wor...Firefox has a settings for overriding website color choices with local choices.
These are found under about:preferences -> Fonts & Colors -> Colors... or alternative under about:config -> browser*color
Forcing local colors appears to work, but it now appears to ignore custom color choices, whether specified in the menu or attempting to use System Colors, and instead locks all websites to a black font on a white background.
Url color choice still works.
Before the recent update, under Tor using Firefox 52, this worked as expected, and the feature also works as expected with vanilla Firefox 62. Have been unable to find mention of this being a recently fixed issue in Firefox.
**Trac**:
**Username**: toruser1999https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/27083TBA: Window size rounding isn't used2024-03-12T09:04:02ZMatthew FinkelTBA: Window size rounding isn't usedOn desktop, the window size rounding was uplifted into Firefox with [bug 1330882](https://bugzilla.mozilla.org/show_bug.cgi?id=1330882). This is not effective on Android.On desktop, the window size rounding was uplifted into Firefox with [bug 1330882](https://bugzilla.mozilla.org/show_bug.cgi?id=1330882). This is not effective on Android.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26629Prompt users to install missing video codecs2024-03-06T09:01:37ZArthur EdelsteinPrompt users to install missing video codecsMissing video codecs are a way to fingerprint users, even if Media Capabilities object has been sanitized for fingerprinting. Tor Browser could detect when codecs are missing and suggest to user that they install them.Missing video codecs are a way to fingerprint users, even if Media Capabilities object has been sanitized for fingerprinting. Tor Browser could detect when codecs are missing and suggest to user that they install them.