Tor Browser Flaws Allow User Profiling
Dr. Neal Krawetz, a computer forensics expert, revealed on Monday several problems with the amount of details the Tor Browser discloses about users, which may allow a determined actor to identify users employing the Tor Browser to surf the Internet.
While this might seem unimportant, users choose to use the Tor Browser to obtain a level of privacy while navigating the Internet, and they expect the Tor Browser to provide a certain level of anonymity.
The Tor Browser itself takes many steps to protect the privacy of its users, including masking as many user details as it can, mainly to prevent user profiling, for either advertising or state-level tracking.
For example, the Tor Browser user-agent string is identical to Firefox, the browser the Tor Browser is based on, and the Tor Browser blocks many user fingerprinting techniques employed in online advertising.
Dr. Krawetz's findings provide three simple ways to determine when a user is using the Tor Browser, regardless of the info we see in the user-agent string, and by retrieving three very basic browser details which the Tor Browser currently doesn't (can't and won't) block, such as Screen Size, Window Size, and Scrollbar Thickness.
For example, an attacker could read the Window and Screen size from all users accessing a site under his control, or where he can execute an ad or JS script.
For all normal browsers, the Window Size is smaller than the Screen Size. To prevent individual user fingerprinting, the Tor Browser sets these two settings the same.
Naturally, if the Window Size and Screen Size are the same, an attacker can determine that the user is using a Tor Browser, and take a specific action, such as delivering an exploit, denying entry to his site, etc..
The second Tor Browser identification technique relies on how the Tor Browser calculates the browser Window Size.
By default, the Tor Browser will open a window that has a width that is the multiple of 200px and a height that is the multiple of 100px (Default value is 1000px by 1000px).
Dr. Krawetz says he discovered a bug on macOS, where the Tor Browser miscalculates the Window Size height because of the dock menu at the bottom of the screen.
In this case, Dr. Krawetz says that if an attacker detects a browser with a Firefox user-agent string, a screen width that's a multiple of 200px, but a height that's not a multiple of 100px, then he can conclude the user is employing the Tor Browser.
The third issue relates to the Scrollbar Size value. According to Dr. Krawetz, this value is unique per browser and OS.
For example, the Tor Browser on MacOS 10.11 uses a default scrollbar thickness of 15 pixels, while on Windows 7/8/10, Tor Browser scrollbars are 17 pixels thick. For Linux, the Tor Browser is more problematic, as the browser uses values between 10 and 16 pixels, depending on the user's Linux distro flavor.
The optimum solution would be if the Tor Browser would use a generic value, also used by another browser, or mimic Edge's behavior of using a variable size between 12 and 15 px.
For all these three user profiling techniques, Dr. Krawetz has proposed various mitigations. If the Tor Project team will listen to his recommendations is another matter.
First, most of the fixes are lose-lose issues, as they expose the user to other user profiling attacks, while second, the researcher didn't contact the Tor Project to inform them of these issues.
His blog post reveals several problems with the Tor Project's internal structure that has frustrated the researcher and prevented him from getting in contact and reporting these problems to the right person.