Users who want to remain anonymous online often opt for using the Tor
Browser, which hides their real IP address, but there are techniques
that (more or less) malicious actors can used to identify them.
Browser and system fingerprinting are two of them. And while the Tor
Project has already implemented a number of countermeasures against
different fingerprinting methods, newer ones are popping up every now
and then.
The latest ones have been demonstrated by security researcher Jose Carlos Norte.
He created proof-of-concept JavaScript code that can be inserted into
the source code of a website to extract information about how users
interact with their computer, their hardware, the computing power and
memory speed of their computer, and so on.
This code allowed him to:
- Extract information leaked by the mouse wheel event in Tor Browser – things like mouse scroll speed (which is dependent on the OS configuration the computer’s hardware), number of scrolls the user made, and the mouse wheel delta value.
- To see how long it takes for the user’s computer to execute a CPU intensive script (different results for differen computers)
- Extract information leaked by the getClientRects method, which returns a collection of rectangles that indicate the borders for each DOM element in a client. “Depending on the resolution, font configuration and lots of other factors, the results of getClientRects are different, allowing for a very quick and easy fingerprinting vector, even better than the canvas fingerprinting that is fixed,” Norte pointed out.
The script manages to collect this information because Norte found a
way to bypass the protection of the Date.getTime() method, which
prevents measuring of events happening under 100ms.
“If a website is able to generate a unique fingerprint that
identifies each user that enters the page, then it is possible to track
the activity of this user in time, for example, correlate visits of the
user during an entire year, knowing that its the same user,” Norte explains.
“Or even worse, it could be possible to identify the user if the
fingerprint is the same in tor browser and in the normal browser used to
browse internet. It is very important for the tor browser to prevent
any attempt on fingerprinting the user.”
Here is an example of how the “fingerprint” of different users using
the same Tor browser version but different computers can differ:
Whether this fingerprinting method can ultimately lead to the
unmasking of Tor users or not is debatable, but it’s good to know that
security researchers are probing the defenses of such crucial software,
because we can be sure malicious users do so constantly.
Norte hopes that his research will spur Tor developers to find a solution to this problem. Apparently, it already has.
In the meantime, in this particular case, users can protect
themselves by simply disabling JavaScript on the Tor Browser (it is
currently enabled by default).