Security/Fingerprinting

From MozillaWiki
Jump to: navigation, search

Cross-Origin Fingerprinting Unlinkability

The anti-fingerprinting project is part of the Tor Uplift project.
Its goal is to build up the same level of fingerprinting resistance as the Tor Browser in Firefox.
Refer to the design and implementation document of the Tor Browser:
https://www.torproject.org/projects/torbrowser/design/#fingerprinting-linkability

Technical Details

This page contains technical details about the things we do in Resist fingerprinting mode. It is up to date as of March 7, 2018


Terse List

  • Complicated (see below)
    • Canvas image extraction is blocked
    • Absolute Screen Coordinates are obscured
    • Window Dimensions are rounded to a multiple of 200x100, and a warning is shown when maximizing
    • We only allow specific system fonts to be used, and we ship them to the user using kinto
  • Non-Trivial (see below)
    • The performance API is mostly disabled
    • Time Precision is reduced to 100ms, with up to 100ms of jitter
    • mozAddonManager may be blocked bug 1384330
    • Media Devices are spoofed bug 1372073
    • WebGL is limited bug 1217290
    • The Keyboard Layout is spoofed
    • The Locale is spoofed to en-US
    • The Date Input Field and Date Picker Panel are spoofed to en-US bug 1492587
    • If you customize the preferred language list (Accept-Language), you will be warned bug 1039069
    • System Media Queries will never match bug 1479240
    • The Pointer Event is spoofed bug 1363508 and also pointerEvent.pointerid bug 1492766
  • Trivial
    • The browser version is reported to be the most recent ESR version (but the OS is not spoofed)
    • Timezone is spoofed to 'UTC'
    • The gamepad API is disabled
    • All device sensors are disabled
    • The WebSpeech API is disabled
    • WEBGL_debug_renderer_info extension is disabled bug 1337157
    • navigator.hardwareConcurrency is spoofed to 2
    • Site-specific zoom is disabled bug 1369357
    • MediaError.message is restricted to a whitelist bug 1354633
    • The Network Information API reports an 'Unknown' connection type, and the ontypechange event is suppressed bug 1372072
    • The Media Statistics API will report calculated numbers not reflecting reality bug 1369309
    • Web Extensions are able to toggle privacy.resistFingerprinting
    • Geolocation is disabled bug 1372069 - but this will be reverted bug 1441295
    • screen.orientation.type is spoofed as 'landscape-primary' and screen.orientation.angle is spoofed to '0' bug 1281949 but also bug 1433815
    • navigator.plugins and navigator.mimeTypes are reported as empty bug 1281963 and bug 1324044
    • prefers-reduced-motion always returns false bug 1478158
    • AudioContext OutputLatency is spoofed bug 1564422

Details

Canvas Fingerprinting Detection

Absolute Screen Coordinates

bug 1382499

Window Dimensions

bug 1330882

Fonts

TODO

Performance API

Most performance APIs are disabled, but not all of them. TODO more details.

Time Precision Reduction

TODO more details

mozAddonManager

window.navigator.mozAddonManager is only exposed to addons.mozilla.org. In Resist Fingerprinting mode, we keep it exposed; however if the additional preference 'privacy.resistFingerprinting.block_mozAddonManager' is true, then it is not exposed to AMO

Media Devices

When RFP is enabled, enumerateDevices reports that the user has one camera (named 'Internal Camera') and one microphone (named 'Internal Microphone'). The devicechange event is also suppressed.

WebGL

TODO

Keyboard Layout

bug 1222285, bug 1438795, bug 1409974, bug 1433592

Locale

bug 867501, bug 1330892, bug 1369330, bug 1409973

Accept-Languages

Project Schedule

  • Complete the implementation of MVP in Firefox 57 (2017-09-20)
    • This is being tracked by three milestones M1, M2, and M3
  • Feature stabilization and refinement in Firefox 58 (2017-11-13)
    • Perform integration test to identify regressions and Web compatibility issues
    • Perform tests to verify the effectiveness of fingerprinting protection
    • Fix regressions and any other issues
    • Figure out the product strategy of Firefox to roll out this functionality
  • Ship the feature in Firefox 59 (2018-01-15)
    • Tor Browser will be using Firefox ESR 59

Bug Tracking

All fingerprinting bugs are being tracked under the meta bug:
bug 1329996 - [META] Support anti-fingerprinting protection

Priority Definition

  • P1: MVP (Minimum Viable Product)
  • P2: Nice to Have
  • P3: Backlog
  • Any bug which is marked as [fp:m1-3] in the Whiteboard is also MVP, regardless of its Priority

Whiteboard Definition

  • [fingerprinting]: Indicate this is a fingerprinting bug
  • [fp:m1]: Target milestone is M1 (2017-06-12 Firefox 55)
  • [fp:m2]: Target milestone is M2 (2017-08-02 Firefox 56)
  • [fp:m3]: Target milestone is M3 (2017-09-20 Firefox 57)
  • [fp-backlog]: Backlog bugs

Dashboard

MVP: M1 Bugs List (2017-06-12 Firefox 55)

Full Query
ID Summary Status Product Component Assigned to Depends on Whiteboard
1360039 Spoof navigator.hardwareConcurrency = 2 when privacy.resistFingerprinting = true RESOLVED Core DOM: Core & HTML Chris Peterson [:cpeterson] 1217238 [tor 21675][fingerprinting][fp:m1]
1345322 Create the preference privacy.resistFingerprinting in firefox.js RESOLVED Firefox Preferences Ethan Tseng [:ethan] [fingerprinting][tor][fp:m1]
1217238 Reduce precision of time exposed by Javascript (Tor 1517) RESOLVED Core JavaScript: Standard Library Jonathan Hao (inactive) [:jhao] 1437266, 1442863, 1430975 [fingerprinting][tor][fp:m1]
1367313 Add a test case to inform people when someone tries to remove prefs that have fingerprinting concerns RESOLVED Core DOM: Security Tim Huang[:timhuang] [fingerprinting][tor][fp:m1] [domsecurity-active]
1330890 Use UTC timezone when privacy.resistFingerprinting = true [tor 16622] RESOLVED Core General Tom Ritter [:tjr] (needinfo for responses to sec-[approval/ratings/advisories/cve's]) 1377744, 1382840, 1385597, 1409973 [fingerprinting][tor 16622][fp:m1][fp-triaged]

5 Total; 0 Open (0%); 5 Resolved (100%); 0 Verified (0%);


MVP: M2 Bugs List (2017-08-07 Firefox 56)

Full Query
ID Summary Status Product Component Assigned to Depends on Whiteboard
1330876 use properly contrasting colors if the desktop theme specifies white on black for text colors [tor 6786] RESOLVED Core GFX: Color Management Chung-Sheng Fu [:cfu] [fingerprinting] gfx-noted [tor][fp:m2]
1337161 Disable navigator.getGamepads() when privacy.resistFingerprinting = true RESOLVED Core DOM: Device Interfaces Chung-Sheng Fu [:cfu] [tor][fingerprinting][fp:m2]
1369357 Making Firefox not to use site specific zoom level when 'privacy.resistFingerprinting' is true VERIFIED Firefox General Chung-Sheng Fu [:cfu] 1377820 [fingerprinting][tor][fp:m2]
1369327 Making reader view users uniform when 'privacy.resistFingerprinting' is true RESOLVED Toolkit Reader Mode Jonathan Hao (inactive) [:jhao] [fingerprinting][tor][fp:m2]
1369330 Make javascript use English locale when 'privacy.resistFingerprinting' is true RESOLVED Core JavaScript Engine [fingerprinting][tor][fp:m2]
1333641 Disable WebSpeech API when privacy.resistFingerprinting is enabled RESOLVED Core Web Speech Tim Huang[:timhuang] [tor][fingerprinting][fp:m2]
1333651 Spoofing Navigator API when resisting fingerprinting is enabled RESOLVED Core DOM: Security Tim Huang[:timhuang] 1337161, 1369303 [tor][fingerprinting][domsecurity-backlog1][fp:m2]
1369303 Spoof/Disable performance API when 'privacy.resistFingerprinting' is true VERIFIED Core DOM: Core & HTML Tim Huang[:timhuang] [fingerprinting][tor][fp:m2]
1369309 Neutralize the threat of fingerprinting of media statistics when 'privacy.resistFingerprinting' is true VERIFIED Core Security Tim Huang[:timhuang] [fingerprinting][tor][fp:m2]
1369319 Disable device sensors when 'privacy.resistFingerprinting' is true RESOLVED Core DOM: Device Interfaces Tim Huang[:timhuang] 1390391 [fingerprinting][tor][fp:m2]
1369328 Open popup windows in new tabs when 'privacy.resistFingerprinting' = true RESOLVED Core DOM: Security Tim Huang[:timhuang] [fingerprinting][tor][fp:m2][domsecurity-active]
1372069 Neutralize the threat of fingerprinting of geolocation API when 'privacy.resistFingerprinting' is true RESOLVED Core DOM: Geolocation Tim Huang[:timhuang] [fingerprinting][tor][fp:m2]
1372072 Neutralize the threat of fingerprinting of network information API when 'privacy.resistFingerprinting' is true RESOLVED Core DOM: Core & HTML Tim Huang[:timhuang] [fingerprinting][tor][fp:m2]

13 Total; 0 Open (0%); 10 Resolved (76.92%); 3 Verified (23.08%);


MVP: M3 Bugs List (2017-09-25 Firefox 57)

Full Query
ID Summary Status Product Component Assigned to Depends on Whiteboard
863246 resource:// URIs leak information (Tor 8725) VERIFIED Core Security Chung-Sheng Fu [:cfu] 1395286, 1395486, 1433715 [tor][fingerprinting][fp:m3]
967895 Prompt (w/ Site Permission) before allowing content to extract canvas data (Tor 6253) RESOLVED Core Canvas: 2D Chung-Sheng Fu [:cfu] 1260931, 1382111, 1412961, 1415874, 1431909, 1452391, 1453916 [tor][fingerprinting][fp:m3][ux]
1039069 Warn the user that customizing the preferred language list (Accept-Language) can be used for fingerprinting RESOLVED Firefox Preferences Chung-Sheng Fu [:cfu] 1515001 [tor][fingerprinting][fp:m3][ux]
1217290 Add fingerprinting resistance for WebGL (Tor 16005) RESOLVED Core Canvas: WebGL Chung-Sheng Fu [:cfu] [tor][tor-standalone][fingerprinting][fp:m3]
1354633 blank MediaError.message when resisting fingerprinting RESOLVED Core Audio/Video: Playback Chung-Sheng Fu [:cfu] [tor 21792][fingerprinting][fp:m3]
1372073 Neutralize the threat of fingerprinting of media devices API when 'privacy.resistFingerprinting' is true RESOLVED Core WebRTC: Audio/Video Chung-Sheng Fu [:cfu] [fingerprinting][tor][fp:m3]
1382499 Touch API leaks absolute screen coordinates RESOLVED Core DOM: Events Chung-Sheng Fu [:cfu] [tor 10286][fingerprinting][fp:m3]
1382533 When resisting fingerprinting, don't expose local IP Addresses via mDNS RESOLVED Core DOM: Core & HTML Chung-Sheng Fu [:cfu] [tor 22165][fingerprinting][fp:m3]
1383495 Spoofing Navigator API platform as Win64 when resisting fingerprinting is enabled RESOLVED Core DOM: Security Ethan Tseng [:ethan] 1472618 [tor][fingerprinting][fp:m3][domsecurity-active]
1382111 UX improvement for permission prompt to allow extracting HTML5 Canvas data VERIFIED Toolkit Notifications and Alerts Jacqueline Savory [:jsavory] UX [tor][fingerprinting][fp:m3][ux]
1330892 <isindex> leaks user locale RESOLVED Core DOM: HTML Parser 1266495 [fingerprinting][tor][fp:m3]
1222285 Keyboard layout is leaked by KeyboardEvent RESOLVED Core DOM: UI Events & Focus Handling Tim Huang[:timhuang] 1439784, 1470828, 1433592, 1438795 [tor 15646][tor 17009][tor-standalone][fingerprinting][fp:m3][fp-triaged]
1382545 Animation API exposes high-res time stamp RESOLVED Core DOM: Animation Tim Huang[:timhuang] 1217238 [tor 16337][fingerprinting][fp:m3]
1384330 Don't expose window.navigator.mozAddonManager data when privacy.resistFingerprinting=true VERIFIED Toolkit Add-ons Manager Tim Huang[:timhuang] [tor 21684][fingerprinting][fp:m3]

14 Total; 0 Open (0%); 11 Resolved (78.57%); 3 Verified (21.43%);


MVP: Bugs To Be Triaged

The following bugs are MVP bugs which are not specified priority yet.

No results.

0 Total; 0 Open (0%); 0 Resolved (0%); 0 Verified (0%);


Fingerprinting P2 Bugs List

<disabled-bugzilla>

   {
       "blocks":"1329996",
       "status":["NEW", "ASSIGNED", "REOPENED", "RESOLVED", "VERIFIED"], 
       "priority":["P2"], 
       "include_fields": "id, summary, status, product, component, assigned_to, depends_on, whiteboard",
       "order": "status, assigned_to"
   }

</disabled-bugzilla>

Fingerprinting P3-P5 Bugs List

<disabled-bugzilla>

   {
       "blocks":"1329996",
       "status":["NEW", "ASSIGNED", "REOPENED", "RESOLVED", "VERIFIED"], 
       "priority":["P3", "P4", "P5", "--"], 
       "include_fields": "id, summary, status, priority, product, component, assigned_to, depends_on, whiteboard",
       "order": "status, assigned_to"
   }

</disabled-bugzilla>

Fingerprinting Breakage

Full Query
ID Summary Status Product Component Assigned to Depends on Whiteboard
1433592 Browser keyboard shortcuts (eg copy Ctrl+C) don't work on sites that use those keys with resistFingerprinting enabled VERIFIED Core DOM: UI Events & Focus Handling Arthur Edelstein [:arthur] [fingerprinting-breakage][tor 17009]
1409677 WebGL fails to initialize when resistFingerprint is enabled RESOLVED Core Canvas: WebGL Daosheng Mu[:daoshengmu] [tor][fingerprinting-breakage][fp:backlog][gfx-noted]
1408702 Resist fingerprinting causes scrollbar glitch in Firefox 58 RESOLVED Core Layout Emilio Cobos Álvarez (:emilio) [tor][fingerprinting-breakage]
1453916 Fix canvas APIs in extension content scripts when resistFingerprinting is enabled VERIFIED Core Canvas: 2D Tom Schuster [:evilpie] 1412961 [fingerprinting][fingerprinting-breakage][gfx-noted]
1364261 Make UTC Timezone Spoofing optional when privacy.resistfingerprinting = true REOPENED Core General 1401440 [tor][fingerprinting-breakage][fp-backlog][fp-triaged]
1396322 privacy.resist.fingerprinting breaks Tampermonkey RESOLVED WebExtensions General [fingerprinting-breakage]
1405810 Setting privacy.resistFingerprinting=true breaks cmd keyboard shortcuts for Google Docs on OSX RESOLVED Core DOM: Security 1404608 [domsecurity-backlog1][tor][fingerprinting-breakage][fp-triaged]
1409809 Constantly remind people about privacy.resistFingerprinting RESOLVED Firefox Security [fingerprinting-breakage]
1436309 resistFingerprinting prevents browser shortcuts to work in some pages RESOLVED Core DOM: UI Events & Focus Handling [fingerprinting-breakage]
1438474 resistFingerprinting breaks taking screenshots RESOLVED Core Security [fingerprinting-breakage]
1452391 PNG favicons show up as white square when privacy.resistFingerprinting is enabled RESOLVED Core Canvas: 2D [fingerprinting-breakage]
1466326 privacy.resistFingerprinting set to true breaks Proxy Switcher and Manager RESOLVED Core Canvas: 2D [fingerprinting-breakage]
1412961 Fix canvas APIs in extension documents when resistFingerprinting is enabled RESOLVED Core Canvas: 2D Tim Nguyen :ntim [fingerprinting][fingerprinting-breakage]
1404608 Do not lie about Operating System when privacy.resistFingerprinting is true RESOLVED Core DOM: Security Tim Huang[:timhuang] [domsecurity-backlog3][fingerprinting-breakage]
1447592 Don't reset privacy.spoof_english when privacy.resistFingerprinting is flipped back to false RESOLVED Firefox Security Tom Ritter [:tjr] (needinfo for responses to sec-[approval/ratings/advisories/cve's]) [fingerprinting-breakage]

15 Total; 1 Open (6.67%); 12 Resolved (80%); 2 Verified (13.33%);


All Open Tagged Fingerprinting Bugs

<disabled-bugzilla>

   {
       "status":["NEW", "ASSIGNED", "REOPENED"],
       "whiteboard":["fingerprinting"],
       "include_fields": "id, summary, status, product, component, assigned_to, depends_on, whiteboard",
       "order": "status, assigned_to"
   }

</disabled-bugzilla>

Fingerprinting Resolved Bugs

<disabled-bugzilla>

   {
       "blocks":"1329996",
       "status":["RESOLVED", "VERIFIED"], 
       "include_fields": "id, summary, priority, product, component, assigned_to, depends_on, whiteboard",
       "order": "assigned_to"
   }

</disabled-bugzilla>