New ways to fingerprint Tor Browser users discovered

[Batu69]

Users who want to remain anonymous online often opt for using the Tor Browser, which hides their real IP address, but there are techniques that (more or less) malicious actors can used to identify them.

 

Browser and system fingerprinting are two of them. And while the Tor Project has already implemented a number of countermeasures against different fingerprinting methods, newer ones are popping up every now and then.

 

The latest ones have been demonstrated by security researcher Jose Carlos Norte.

He created proof-of-concept JavaScript code that can be inserted into the source code of a website to extract information about how users interact with their computer, their hardware, the computing power and memory speed of their computer, and so on.

 

This code allowed him to:

• Extract information leaked by the mouse wheel event in Tor Browser – things like mouse scroll speed (which is dependent on the OS configuration the computer’s hardware), number of scrolls the user made, and the mouse wheel delta value.
• To see how long it takes for the user’s computer to execute a CPU intensive script (different results for differen computers)
• Extract information leaked by the getClientRects method, which returns a collection of rectangles that indicate the borders for each DOM element in a client. “Depending on the resolution, font configuration and lots of other factors, the results of getClientRects are different, allowing for a very quick and easy fingerprinting vector, even better than the canvas fingerprinting that is fixed,” Norte pointed out.

The script manages to collect this information because Norte found a way to bypass the protection of the Date.getTime() method, which prevents measuring of events happening under 100ms.

 

“If a website is able to generate a unique fingerprint that identifies each user that enters the page, then it is possible to track the activity of this user in time, for example, correlate visits of the user during an entire year, knowing that its the same user,” Norte explains.

 

“Or even worse, it could be possible to identify the user if the fingerprint is the same in tor browser and in the normal browser used to browse internet. It is very important for the tor browser to prevent any attempt on fingerprinting the user.”

 

Here is an example of how the “fingerprint” of different users using the same Tor browser version but different computers can differ:

 

 

Whether this fingerprinting method can ultimately lead to the unmasking of Tor users or not is debatable, but it’s good to know that security researchers are probing the defenses of such crucial software, because we can be sure malicious users do so constantly.

 

Norte hopes that his research will spur Tor developers to find a solution to this problem. Apparently, it already has.

In the meantime, in this particular case, users can protect themselves by simply disabling JavaScript on the Tor Browser (it is currently enabled by default).

 

Article source

[edwardecl]

Use noscript... any tor site that uses javascript you have to assume is trying to compromise you.

[steven36]

5 hours ago, edwardecl said:

Use noscript... any tor site that uses javascript you have to assume is trying to compromise you.

Tor Browser comes with noscript so if they found more holes in it its shows its not very effective . I always uninstall it replace it with policeman.

Another good one is uMatrix. The best way  to stop tor fingerprinting  is dont use it with you're real ip over a VPN .

 

The problem with disabling Java script everywhere  it breaks  most of the web so you're better off using a addon  that lets you get away with tuning it to use as less as possible .

 

When you use Policeman  it automatically blocks any  3rd party scripts so if  they were trying fingerprint trough a script it would be blocked .

[CODYQX4]

35 minutes ago, steven36 said:

Tor Browser comes with noscript so if they found more holes in it its shows its not very effective . I always uninstall it replace it with policeman.

Another good one is uMatrix. The best way  to stop tor fingerprinting  is dont use it with you're real ip over a VPN .

 

The problem with disabling Java script everywhere  it breaks  most of the web so you're better off using a addon  that lets you get away with tuning it to use as less as possible .

 

When you use Policeman  it automatically blocks any  3rd party scripts so if  they were trying fingerprint trough a script it would be blocked .

Probably best off not using Tor on the main web. So much stuff blocks Tor, and Tor sites shouldn't use JS.

[steven36]

1 hour ago, CODYQX4 said:

Probably best off not using Tor on the main web. So much stuff blocks Tor, and Tor sites shouldn't use JS.

Probably best not to use darknet  or use it to break the law but people do everyday. i never heard of anyone getting trouble surfing the open net with tor only people who got in trouble using tor were people on the darknet breaking the law .  Only thing I use Tor for is if i need a proxy while on my vpn and you would never catch me on the dark net  . There's more than i can do in one day on open net.

 

You can beef up you're anti-fingerprinting using ras . But as browsers become more bloatware like Firefox and  start messing up addons  the less safer tor becomes there's too many holes in browsers   52 MB just to update tor browser  .

 

The problem people who use tor browser dont beef up there security enough what i suggest to you others suggest it too . I use these addons in normal browsers to protect me to plug holes and not the ones the Tor Browser has so install some the same ones in my Tor Browser as in  my default  one

https://www.reddit.com/r/privacy/comments/49armw/advanced_tor_browser_fingerprinting/

 

I try to achieve the best security I can on every browser i set up

 

The thing with RAS  is once they bump up Tor Browser to v45 ESR  its going to break it unless they fix it  this why i plain to move to Palemoon soon.

I hate the way they make TOR now days back in the old days  they had the tor vidalia bundle and you set you're own browser up for TOR. New Firefox or Chrome are not very good for privacy software  like tor

[straycat19]

I believe the thing to keep in mind is that anything designed or invented by man can be circumvented or destroyed by man and that includes computer code.  Every time something is patched to increase its security someone finds a new vulnerability, just like the game of Whack-A-Mole.  Look at the number of patches Microsoft turns out for Windows and still it is the most vulnerable OS around.