
Tor Browser and Tails Version Fingerprint - jonaslejon
https://github.com/jonaslejon/tor-fingerprint
======
cloudjacker
It detected Whonix as well

Not that it wasn't supposed to, just letting anyone know because its a waste
of time for someone else to boot up their VMs just to see it, like I did.

------
programLyrique
I am trying with Torbrowser 5.5.5 on MacOS X with javascript activated, and
weak privacy settings, and the webpage detects neither that it is TorBrowser
nor that it's on MacOS X.

I have also installed uBlock Origin; maybe it is what makes the difference?

~~~
ryan-c
Installing any extensions in Torbrowser that it doesn't come with makes you
very trackable.

~~~
programLyrique
I'm quite sure I'm not the only one to use an ad-blocker with TorBrowser, so
this would not be a unique fingerprint.

~~~
ecnahc515
It's not going to leave a unique finger print but not will certainly be able
to track you...unless you completely trust your ad blocker

------
jgalt212
Idea: combine TOR + Guacamole.

Client runs guacamole client, one of the intermediate TOR nodes runs guacamole
host. Fingerprinting takes place on intermediate node which is randomly chosen
every time client starts up service. End result: Client remains anonymous to
these sort of fingerprinting efforts

The downside is TOR, which is not terribly performant because of extra
intermediate hops, will be degraded further by guacamole service.

------
noobermin
Am I wrong in thinking that all this does is look at window.navigator? It
doesn't seem to work for me though.

~~~
colejohnson66
Yes, you're wrong :) It actually opens up this page in the background:

    
    
        chrome://torbutton/locale/aboutTor.properties
    

If it exists, you're using Tor. Pretty obvious. For the version, it concats a
few variables from `window.navigator', CRCs them, then compares the result
against known CRCs. The code[0] is pretty easy to follow. I'm surprised Tor
exposes these variables at all.

[0]: [https://github.com/jonaslejon/tor-
fingerprint/blob/master/to...](https://github.com/jonaslejon/tor-
fingerprint/blob/master/tor-fingerprint.js)

~~~
MichaelGG
Isn't that only for Chrome? Tor Browser's based on Firefox eh. I thought XHR
wasn't allowed cross-domain anyways, so shouldn't these things fail? Though I
admit having no knowledge of how the addon system works.

Detecting Tor should be easier though, since exit nodes are published. So just
check the IP?

I imagine all the variables have to be exposed because sites will break
otherwise.

~~~
gruez
>Isn't that only for Chrome? Tor Browser's based on Firefox eh

"chrome" in this context refers to the control elements of the browser

[https://en.wikipedia.org/wiki/Graphical_user_interface#User_...](https://en.wikipedia.org/wiki/Graphical_user_interface#User_interface_and_interaction_design)

~~~
MichaelGG
Right but I was unaware FF exposed a "chrome" Uri scheme.

I'm sure they have their reasons for letting pages make Xhr calls to add-ons
like that but seems complicated.

------
developer2
I suppose Tails should at least update its support page regarding
fingerprinting[1].

[1]
[https://tails.boum.org/support/known_issues/index.en.html#fi...](https://tails.boum.org/support/known_issues/index.en.html#fingerprint)

------
unsignedint
Looks like it fails to identify Tor Browser 6.0a5-hardened...

------
r-w
Cue them saying something along the lines of “our goal is to prevent tracing,
not fingerprinting”. But I hope they’re hard at work on a fix regardless.

~~~
ryan-c
Torbrowser includes patches to Firefox that make it more difficult to
fingerprint individual machines, however this is at the expense of making it
trivial to identify as Torbrowser when javascript is enabled. It doesn't
appear possible to fix.

~~~
esnard
Also, the requests seem to come from a node exit IP, which are public, so
identifying a Tor user is easy.

Tor provides anonymity by giving all its users the same fingerprint. The fact
that you're using Tor isn't a secret.

About the Tor version number in window.navigator, I guess they can't easily
block it since the browser itself leaks some information via the features
added in each release (e.g. a new JS API introduced in Firefox XX).

~~~
hackney
Strangley, the tor site at one point mentions having javascript enabled by
default. As far as I know, that is a no no for anonymous browsing using tor.
But it also breaks most sites so there are not many times I actually use it.
Even with javascript enabled, I'm sure you can still do a fair bit of
anonymous browsing but I just don't trust java or the internet.

