[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #26146 [Applications/Tor Browser]: Setting `general.useragent.override` does not spoof the platform part anymore in ESR 60 which is confusing
#26146: Setting `general.useragent.override` does not spoof the platform part
anymore in ESR 60 which is confusing
-------------------------------------------------+-------------------------
Reporter: gk | Owner: tbb-
| team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: ff60-esr, tbb-fingerprinting-os, | Actual Points:
tbb-8.0-issues |
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by tom):
Replying to [comment:37 fufufu]:
> As a Tor Browser user highly concerned with this change, I have two
questions based on the dialogue I'm seeing on the comments section of the
Tor blog about this subject:
>
> 1. The biggest reason this change seems to be promoted by some
(particularly gk) as "not a big deal anyway", even in the context of
disabled Javascript where potential OS detection methods are minimized, is
because your OS can apparently be detected anyway by what fonts you have
(as Tor Browser ships with different fonts depending on the version it
seems). My question is how the server communicates this information back
to itself after detection without using Javascript. I can find no website,
browser uniqueness analyzer, fingerprint analyzer, anonymity analyzer,
Panopticlick-style test, etc. that can actually detect anything about my
fonts with Javascript disabled in Tor Browser. I can only find a small
reference in Whonix documentation to detecting fonts via "CSS
introspection". Can gk or somebody else provide more information about how
this works?
Anything that triggers a conditional load based on the size of other
objects could be used to communicate it back. But it's more work and not
as fun to program so I'm not surprised it's not common in POCs.
A CSS trick to do this would be something like
https://arthuredelstein.github.io/tordemos/media-query-fingerprint.html
but I bet you can d the same in canvas and in SVG.
Besides Fonts, another JS-free ways to detect platform could be media
support/streaming. But yea, without using JS it definetly gets tougher.
(There are a lot more network-level tricks that Tor is immune to but
affects Firefox.)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26146#comment:40>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs