GitLab

With Tor Browser 8.5-build2, we see 2 different WebGL fingerprints on panopticlick: 2ef68bcd75e09a41aea04bae556f3ecc on bare metal and in VMs that support OpenGL acceleration, f9a0f737691a9b57f5294121fc58a2df in VMs that don't support OpenGL acceleration.

Quoting segfault (from https://redmine.tails.boum.org/code/issues/16337#note-61) who investigated this further:

"I looked at the JS code used by panopticlick to calculate this hash, and printed the values which go into the hash. The only difference I could find is that antialiasing is enabled iff OpenGL is enabled. (That's exposed via the antialias bool of gl.getContextAttributes(), see https://developer.mozilla.org/en-US/docs/Web/API/WebGLRenderingContext/getContextAttributes)."

Impact: 1 bit of fingerprinting; risk: nowadays I would assume the huge majority of bare metal systems that can run TB have OpenGL, but most VMs haven't (unless geeky configuration is done, which is a minority). So it's roughly equivalent to splitting the anonymity set between VMs and bare metal, I'd say.

GeKo says:

i guess we could think about making the antialiasing info uniform like, just saying "no"