[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #4810 [TorBrowserButton]: Weird screen sizes reported by Panopticlick
#4810: Weird screen sizes reported by Panopticlick
------------------------------+---------------------------------------------
Reporter: erikd | Owner: mikeperry
Type: defect | Status: needs_revision
Priority: normal | Milestone:
Component: TorBrowserButton | Version: Torbutton: 1.4.4.1
Keywords: | Parent:
Points: | Actualpoints:
------------------------------+---------------------------------------------
Changes (by mikeperry):
* status: assigned => needs_revision
* cc: pde (added)
Comment:
Ok, so first off, this is not as big an issue as it seems:
https://blog.torproject.org/blog/effs-panopticlick-and-torbutton
However, enough people seem to be going to Panoptlick and becoming
concerned that we should try to do something to combat the FUD.
Right now, what torbutton does is to pick an initial window size in
200x100 increments based on your desktop resolution. This should only
result in a handful combinations for most monitor sizes. It then reports
this browser resolution as your desktop resolution. The problem with this
wrt Panopticlick is that the resulting values are not popular desktop
resolutions.
The problem for us is that providing different values that are in any way
related to your real desktop resolution will actually leak more
information than what we do currently.
However, there may be a solution where we either alter the set of initial
window sizes to be actual common-ish desktop resolutions that happen to be
smaller than your current desktop, or we just assign a fixed mapping from
each of these window sizes to a fake desktop size that is larger (but
ideally within a sane bound of the current desktop).
This fixed-mapping approach should result in the same total joint entropy,
because there are exactly the same number of possible values, but the
desktop sizes happen to look nicer to panopticlick because they are more
common. I think it is worth doing this to reduce the FUD about Torbutton
and TBB.
The code that sets the initial window size is in
torbutton_set_window_size():
https://gitweb.torproject.org/torbutton.git/blob/master:/src/chrome/content/torbutton.js#l4063
Note that this code is at a different privilege level than the code in
jshooks4.js. You can only get values into jshooks4.js by smuggling them in
the torbutton_hookdoc() function:
https://gitweb.torproject.org/torbutton.git/blob/master:/src/chrome/content/torbutton.js#l4459
Does this make sense?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/4810#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs