[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #27268 [Applications/Tor Browser]: preferences cleanup
#27268: preferences cleanup
---------------------------------------------+--------------------------
Reporter: rzb | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: ff60-esr, TorBrowserTeam201808R | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
---------------------------------------------+--------------------------
Comment (by Thorin):
Replying to [comment:6 gk]:
> A user on the blog mentioned a bunch of resistfingerprinting related
prefs ...
I created an account just so I could talk to you guys :). THIS is not an
issue in terms of changing TBB's fingerprint, because TBB can enforce/lock
prefs and set their own default values. It is only for FF users, because
any pref different from default that alters the FF FP is not good. When
RFP becomes front facing in FF, very few users would tinker under the hood
with about:config, so the vast majority would be at defaults
https://github.com/ghacksuserjs/ghacks-user.js/issues/222 - here is a look
at some of the earlier RFP patches and how they can alter the FP (any
subsequent "clashes" are maintained in the user.js itself, under section
4600). e.g
- media.video_stats.enabled=false disables the API, but RFP returns
dynamically spoofed values
- dom.netinfo.enabled=false returns "unknown: but RFP returns "undefined"
---
I emailed Arthur over 24 hrs ago, but he must have misread me. I wanted to
point you guys to this -> https://github.com/ghacksuserjs/ghacks-
user.js/issues/123
Any pref we have enforced or flipped in the user.js over the years (and we
only deal with security/privacy/anti-FP etc prefs), when it is deprecated,
ends up in this sticky. We capture all diffs between FF releases and the
issue linked above provides hyperlinks to eacha nd every bugzilla as
source for the pref's removal/renaming etc. It's also grouped by FF
release, so you can just have at it and check everything from 59 back.
Just wanted to save you some time.
---
I don't want to go OT, but HWA being turned on is an issue. We have a PoC
that uses timing to get history leaks, and HWA=off is the only thing that
makes it fail. Which is why I am waiting to see what YOU guys do with the
all the perf/timing prefs (please don't follow my lead, or it will be the
tail wagging the dog). See https://github.com/ghacksuserjs/ghacks-
user.js/issues/491
Arthur: Tom Ritter was given the info on the timing attack PoC
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27268#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs