Bug #15924

Unique fingerprint with the screen size

Added by kseroux 2018-09-07 20:43:39 . Updated 2018-12-08 09:16:52 .

Status:
Rejected
Priority:
Normal
Assignee:
Category:
Target version:
Start date:
2018-09-07
Due date:
% Done:

0%

Feature Branch:
Type of work:
Research
Blueprint:

Starter:
Affected tool:
Browser
Deliverable for:

Description

According to EFF Fingerprinting test, the reported size is no longer unique. With my VirtualBox setup and a screen of 1920x1080, the reported size is 994x900 (see tails.png attachment).

You can see that the missing 6px are on the left of the browser in red.

Since Tails use Gnome, I tried with Ubuntu 18.04 in a VM, but the issue does not appear (see gnome.png attachment). I also tried Awesome WM natively (see awesome wm.png), and no problem. I’m going to test on a Debian gnome+nonfree.

These elements seem to show that this is a bug related a priori to Tails and not Tor Browser. I’m not totally sure because on Reddit, a guy seem to have a problem, this time with the height and not the width: https://www.reddit.com/r/TOR/comments/9dn9ud/tbb_80_messes_up_screen_size/

One of the picture in the news about Tails 3.9 release, also show this extra left margin (which is by the way, not set in the default CSS of all pages).

Files

awesome wm.png (487842 B) kseroux, 2018-09-07 20:23:32
gnome.png (485390 B) kseroux, 2018-09-07 20:23:48
tails.png (323315 B) kseroux, 2018-09-07 20:23:57
tails-3.9.1.png (202286 B) kseroux, 2018-10-06 12:23:31

Subtasks

History

#1 Updated by kseroux 2018-09-08 13:24:53

I found the bug! These pixels are related to uBlock Origin.

You can fix this by: 1) Open the Sidebar (eg, with Ctrl-B); 2) Close it.
You can make the bug appear again by: 1) Open the Sidebar (eg with Ctrl-B); 2) Select uBlock Origin by clicking on the Sidebar title

Thus, the reddit post I linked above is irrelevant to this issue.

#2 Updated by kseroux 2018-09-08 14:09:23

It’s strange, although the last version is 1.16.20 according to the Mozilla Add-ons website, Tails include the version 1.9.15rc1 of uBlock Origin (“Last Updated August, 2018”). More, Tor Browser seem to be compatible with uBlock only from 1.14.0 (because of WebExtension).

Anyway, I suggest an upgrade of uBlock Origin since the last version does not induce this bug.

Have a nice day! :)

#3 Updated by goupille 2018-10-06 10:32:42

  • Category deleted (Camouflage)
  • Assignee set to kseroux
  • Type of work changed from Security Audit to Research

the package version of ublock in tails 3.9.1 is indeed 1.16.14+dfsg-1, I don’t know why it is displayed as 1.9.15.101 in tor browser but I think that the actual add-on version number is not the same as the debian package that include it…

could you confirm that the issue is still there in Tails 3.9.1 ?

#4 Updated by kseroux 2018-10-06 12:23:31

The bug still occurs in Tails 3.9.1. Here, an attached picture as proof.

#5 Updated by mercedes508 2018-10-08 11:38:49

  • Assignee changed from kseroux to goupille

#6 Updated by intrigeri 2018-10-10 10:55:43

  • Target version set to Tails_3.10.1
  • QA Check set to Info Needed

The class of adversaries who can fingerprint based on screen size can also single out Tails users from the bigger pool of Tor Browser users, because we ship uBlock enabled by default. So to me the question here is not whether Tor Browser in Tails has a different fingerprint than Tor Browser outside of Tails. The question is rather: does the observed behaviour weaken the Tails users anonymity set in some way? In other words: does all Tor Browser in Tails use a fixed, shared size assuming similar enough display resolution?

#7 Updated by intrigeri 2018-10-24 17:03:47

  • Target version changed from Tails_3.10.1 to Tails_3.11

#8 Updated by intrigeri 2018-12-07 12:58:07

  • Assignee changed from goupille to okgoogle
  • Target version changed from Tails_3.11 to Tails_3.12

OK, I’ll triage this.

#9 Updated by intrigeri 2018-12-08 07:51:12

  • Assignee changed from okgoogle to intrigeri

#10 Updated by intrigeri 2018-12-08 09:16:52

  • Status changed from New to Rejected
  • Assignee deleted (intrigeri)
  • Target version deleted (Tails_3.12)
  • QA Check deleted (Info Needed)

intrigeri wrote:
> The class of adversaries who can fingerprint based on screen size can also single out Tails users from the bigger pool of Tor Browser users, because we ship uBlock enabled by default. So to me the question here is not whether Tor Browser in Tails has a different fingerprint than Tor Browser outside of Tails. The question is rather: does the observed behaviour weaken the Tails users anonymity set in some way? In other words: does all Tor Browser in Tails use a fixed, shared size assuming similar enough display resolution?

There’s no indication that there’s a real problem here => rejecting as “not a bug”.

In any case, I think this should be fixed once we upgrade uBlock Origin to 1.17.0+dfsg-1 (soon) and to a Tor Browser based on Firefox 62+, i.e. the next ESR, in Oct 2019. See Bug #16206 for details.