Tor Fingerprinting – Is the Tor Browser Immune Against Browser Fingerprinting?
On October 4, 2013, the Guardian published a report which stated that Edward Snowden, a former CIA employee and whistleblower, sent the British newspaper classified documents that proved that the National Security Agency (NSA) had been repeatedly making attempts to formulate successful attacks against Tor, or the onion router. However, the report claimed that all of NSA’s attempts failed to de-anonymize Tor users and as such, proved that the security of Tor is bulletproof and only those using an outdated version of the Tor browser can be successfully de-anonymized via quantum cookie attacks.
Nonetheless, Tor is a form of a two-edged sword. While most users appreciate the privacy and anonymity offered to them via Tor, others exploit them in various forms of online criminal activities. When online tracking and de-anonymization are concerned, internet tracebacks via browser fingerprinting are steadily growing, specifically on some commercial websites, such as BlueCava, Iovation, AddThis, 41st Parameter and ThreatMetrix. In 2010, a Panopticlick research program was initiated by the Electronic Frontier Foundation (EFF), to examine browser fingerprinting. The research proved that 94.2% of all the fingerprints of internet browsers, excluding Tor browser’s fingerprints, are unique. When a user points his/her browser to a server that runs browser fingerprinting, the server obtains some of the features of the user’s browser, which are referred to as browser fingerprints. Accordingly, the server conducting browser fingerprinting can associate the access to analyze the browser for tracking. Such association can lead to de-anonymization of users.
Fingerprinting represents a serious threat to Tor’s main objective. As such, developers of Tor have been working on solutions to mitigate known fingerprinting techniques to preserve the anonymity of Tor users. In February 2016, Tor browser 5.5 was released to shield the browser against known browser fingerprinting techniques.
Tor Browser Fingerprinting:
The Tor browser is immune against most of the conventional browser fingerprinting techniques. The research study introduced a unique fingerprinting technique, known as “Tor fingerprinting,” that can be utilized to track the Tor browser. The study fully examined the Tor browser to provide the following set of fingerprints. Even though some of these fingerprints have been previously reported, the study revealed how they can be used in Tor fingerprinting.
Essentially, in the HTTP header, the User-Agent’s value is constant. The version of a user’s Tor browser can be obtained. In versions older than 5.0, Accept-Language within the HTTP header is “en-us,en; q = 0.5”, while in version 5.0, or following versions, it is “en-US,en;q = 0.5”.
Size of the Content Window:
The window screen property can be utilized to identify Tor browser’s content window size. Furthermore, Cascading Style Sheets (CSS) media queries can be utilized to identify the size of the content window.
It is well known that Font.enumerate.Fonts within the ActionScript can be utilized to obtain the installed fonts on the target’s device, along with their order. However, as the Tor browser turns off Flash plugins, the following methods can be used to hide the list of fonts in Tor 5.0 and newer versions, yet they won’t work with Tor 5.5 due to the newly developed countermeasures.
b. Utilizing @font-face, which is specified in CSS3, can identify the user’s fonts.
Stream SIMD Extensions 2 (SSE2) can be used to detect if the user’s CPU is an Intel Pentium 4 or a newer version.
Detecting the Number of CPU Cores:
Execution of heavy calculations using multi-threads within the Web Workers API, the user’s number of CPU cores can be estimated along with the presence of Hyper-Threading Technology (HTT).
A drawing’s refresh rate in a display can be estimated via means of the requestAnimationFrame method of the animation Timing API when Tor 5.0 or newer versions are used.
Some of Tor browser users turn off HTTP cookies, yet they are turned on by default. As such, this operation can be a form of a fingerprint.