130
edits
Security/Fingerprinting: Difference between revisions
no edit summary
Ethantseng (talk | contribs) (Enable the query for Fingerprinting Breakage) |
No edit summary |
||
| Line 4: | Line 4: | ||
Refer to the design and implementation document of the Tor Browser: <br> | Refer to the design and implementation document of the Tor Browser: <br> | ||
https://www.torproject.org/projects/torbrowser/design/#fingerprinting-linkability | https://www.torproject.org/projects/torbrowser/design/#fingerprinting-linkability | ||
== Technical Details == | |||
This page contains technical details about the things we do in Resist fingerprinting mode. It is up to date as of March 7, 2018 | |||
=== Terse List === | |||
* Complicated (see below) | |||
** Canvas image extraction is blocked | |||
** Absolute Screen Coordinates are obscured | |||
** Window Dimensions are rounded to a multiple of 200x100, and a warning is shown when maximizing | |||
* Non-Trivial (see below) | |||
** The performance API is mostly disabled | |||
** Time Precision is reduced to 100ms, with up to 100ms of jitter | |||
** mozAddonManager may be blocked {{Bug|1384330}} | |||
** Media Devices are spoofed {{Bug|1372073}} | |||
** WebGL is limited {{Bug|1217290}} | |||
** The Keyboard Layout is spoofed | |||
** The Locale is spoofed to en-US | |||
** If you customize the preferred language list (Accept-Language), you will be warned {{Bug|1039069}} | |||
* Trivial | |||
** The browser version is reported to be the most recent ESR version (but the OS is not spoofed) | |||
** Timezone is spoofed to 'UTC' | |||
** The gamepad API is disabled | |||
** All device sensors are disabled | |||
** The WebSpeech API is disabled | |||
** navigator.hardwareConcurrency is spoofed to 2 | |||
** Site-specific zoom is disabled {{Bug|1369357}} | |||
** MediaError.message is restricted to a whitelist {{Bug|1354633}} | |||
** The Network Information API reports an 'Unknown' connection type, and the ontypechange event is suppressed {{Bug|1372072}} | |||
** The Media Statistics API will report calculated numbers not reflecting reality {{Bug|1369309}} | |||
** Web Extensions are able to toggle privacy.resistFingerprinting | |||
** Geolocation is disabled {{Bug|1372069}} - but this will be reverted {{Bug|1441295}} | |||
** screen.orientation.type is spoofed as 'landscape-primary' and screen.orientation.angle is spoofed to '0' {{Bug|1281949}} but also {{Bug|1433815}} | |||
** navigator.plugins and navigator.mimeTypes are reported as empty {{Bug|1281963}} and {{Bug|1324044}} | |||
=== Details === | |||
==== Canvas Fingerprinting Detection ==== | |||
==== Absolute Screen Coordinates ==== | |||
{{Bug|1382499}} | |||
==== Window Dimensions ==== | |||
{{Bug|1330882}} | |||
==== Performance API ==== | |||
Most performance APIs are disabled, but not all of them. TODO more details. | |||
==== Time Precision Reduction ==== | |||
TODO more details | |||
* animation API - {{Bug|1382545}} | |||
==== mozAddonManager ==== | |||
window.navigator.mozAddonManager is only exposed to addons.mozilla.org. In Resist Fingerprinting mode, we keep it exposed; however if the additional preference 'privacy.resistFingerprinting.block_mozAddonManager' is true, then it is not exposed to AMO | |||
==== Media Devices ==== | |||
When RFP is enabled, enumerateDevices reports that the user has one camera (named 'Internal Camera') and one microphone (named 'Internal Microphone'). The devicechange event is also suppressed. | |||
==== WebGL ==== | |||
TODO | |||
==== Keyboard Layout ==== | |||
{{Bug|1222285}}, {{Bug|1438795}}, {{Bug|1409974}}, {{Bug|1433592}} | |||
==== Locale ==== | |||
{{Bug|867501}}, {{Bug|1330892}}, {{Bug|1369330}}, {{Bug|1409973}} | |||
==== Accept-Languages ==== | |||
== Project Schedule == | == Project Schedule == | ||