[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #13021 [Tor Browser]: Review Canvas APIs for fingerprintability

Subject: Re: [tor-bugs] #13021 [Tor Browser]: Review Canvas APIs for fingerprintability
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Wed, 17 Sep 2014 04:30:42 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 17 Sep 2014 00:30:50 -0400
In-reply-to: <049.3a8b46022c44ae559e4586a2a4335910@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <049.3a8b46022c44ae559e4586a2a4335910@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#13021: Review Canvas APIs for fingerprintability
-------------------------+-------------------------------------------------
     Reporter:           |      Owner:  brade
  mikeperry              |     Status:  assigned
         Type:  task     |  Milestone:
     Priority:  major    |    Version:
    Component:  Tor      |   Keywords:  ff31-esr, tbb-fingerprinting,
  Browser                |  TorBrowserTeam201409
   Resolution:           |  Parent ID:
Actual Points:           |
       Points:           |
-------------------------+-------------------------------------------------

Comment (by gacar):

 Replying to [comment:5 mcs]:
 > Kathy and I also reviewed the canvas APIs.  Here are a few of our
 observations:
 >

 > * We have not done anything to block use of isPointInPath() and
 isPointInStroke().  Do we need to block these?
 >

 I could not find any way to exploit those two for fingerprinting, but
 better someone else give a shot too.

 Some canvas fingerprinting scripts found to use isPointInPath() with
 "even-odd" winding rule, but I think this was just to check browser
 support - will be same for all TBs. Unless someone says "the internal
 representations of the paths may depend on the graphics stack too!"

 One could use these two functions to probe system fonts, if adding text to
 the current path or stroke was possible. I tried `strokeText()` and
 `fillText()` followed by `isPointInStroke()` and `isPointInPath()` but it
 didn't work out.


 > * We have not done anything to block use of measureText().
 Theoretically, it could be used to detect differences based on available
 fonts or rendering differences.  Do we need to block this?
 Wow, that's a good catch! I think this should certainly be blocked.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13021#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

References:
- [tor-bugs] #13021 [Tor Browser]: Review Canvas APIs for fingerprintability
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #13117 [Website]: Design an updated look and feel for the blog
Next by Author: Re: [tor-bugs] #9744 [Pluggable transport]: Read managed proxy server chain from a configuration file
Previous by thread: Re: [tor-bugs] #13021 [Tor Browser]: Review Canvas APIs for fingerprintability
Next by thread: Re: [tor-bugs] #13021 [Tor Browser]: Review Canvas APIs for fingerprintability
Index(es):
- Author
- Thread