Re: Tor Browser font fingerprinting defense

[Caspar Schutijser]

On Mon, Apr 13, 2020 at 12:01:16PM +0100, Stuart Henderson wrote:
> On 2020/04/12 20:36, Caspar Schutijser wrote:
> > On Fri, Apr 10, 2020 at 09:24:31PM +0200, Caspar Schutijser wrote:
> > > Below is a WIP diff that makes font fingerprinting defense work in
> > > our port of Tor Browser.
> > 
> > Thanks for your feedback from both of you. I incorporated sthen@'s
> > feedback in the diff below (and besides that there's some fixes and
> > cleanup compared to the previous diff).
> > 
> > I haven't received any test reports yet but as far as I can see, this
> > diff works as advertised. Further feedback is welcome, of course.
> 
> Could you change how the js change is done please, normally patches are
> a better idea for non-bulk changes like this, but it results in a line
> containing UTF-8 in the patch context which I think is likely to cause
> some future problems with sending/applying diffs - this should do the
> trick:
> 
>   sed -i 's/#ifdef XP_LINUX/#if defined(XP_LINUX) || 
> defined(XP_OPENBSD)/' \
>   ${WRKSRC}/browser/app/profile/000-tor-browser.js

Yes, of course. The diff below does that. Thanks. Briefly tested on
amd64.


Index: browser/Makefile
===
RCS file: /cvs/ports/www/tor-browser/browser/Makefile,v
retrieving revision 1.43
diff -u -p -r1.43 Makefile
--- browser/Makefile9 Apr 2020 21:15:29 -   1.43
+++ browser/Makefile13 Apr 2020 15:06:20 -
@@ -16,9 +16,12 @@ PATCHORIG =  .pat.orig
 
 PKGNAME =  ${TB_PREFIX}-browser-${TB_VERSION}
 DISTNAME = src-firefox-tor-browser-68.7.0esr-9.0-2-build1
+REVISION = 0
 
+FIX_EXTRACT_PERMISSIONS= Yes
 DISTFILES +=   ${DISTNAME}.tar.xz \
-   src-tor-launcher-${TL_VERSION}.tar.xz
+   src-tor-launcher-${TL_VERSION}.tar.xz \
+   tor-browser-linux64-${TB_VERSION}_en-US.tar.xz
 
 SO_VERSION =   5.0
 MOZILLA_LIBS = xul clearkey lgpllibs mozavcodec mozavutil mozgtk
@@ -99,6 +102,7 @@ CONFIGURE_ARGS +=--with-libclang-path=$
 CONFIGURE_ARGS +=  --with-clang-path=${LOCALBASE}/bin/clang
 
 post-extract:
+   mv ${WRKDIR}/tor-browser_en-US ${WRKSRC}
mv ${WRKDIR}/tor-launcher-${TL_VERSION}/ \
${WRKSRC}/browser/extensions/tor-launcher
 
@@ -112,11 +116,17 @@ post-patch:
${SUBST_CMD} 
${WRKSRC}/browser/extensions/tor-launcher/src/defaults/preferences/torlauncher-prefs.js
sed -i 's/"files":{[^}]*}/"files":{}/' \
${WRKSRC}/third_party/rust/bindgen/.cargo-checksum.json
+   # Not using a patch for this; patch context would contain UTF-8
+   sed -i 's/#ifdef XP_LINUX/#if defined(XP_LINUX) || 
defined(XP_OPENBSD)/' \
+   ${WRKSRC}/browser/app/profile/000-tor-browser.js
 
 BROWSER_DIR = ${PREFIX}/lib/${BROWSER_NAME}
+TRUEBROWSER_DIR = ${TRUEPREFIX}/lib/${BROWSER_NAME}
 BROWSER_CFG = ${BROWSER_DIR}/${BROWSER_NAME}.cfg
 BROWSER_INI = ${BROWSER_DIR}/distribution/distribution.ini
 
+SUBST_VARS +=  TRUEBROWSER_DIR
+
 post-install:
# install prefs, bookmarks, app config file for Tor browser
${INSTALL_DATA_DIR} ${BROWSER_DIR}/browser/defaults/preferences
@@ -150,5 +160,19 @@ post-install:
${INSTALL_DATA_DIR} ${PREFIX}/share/${BROWSER_NAME}
${SUBST_DATA} ${FILESDIR}/torrc-defaults \
${PREFIX}/share/${BROWSER_NAME}/torrc-defaults
+
+   # install fonts.conf and fonts
+   ${INSTALL_DATA_DIR} ${BROWSER_DIR}/browser/fontconfig
+   ${SUBST_DATA} \
+   
${WRKSRC}/tor-browser_en-US/Browser/TorBrowser/Data/fontconfig/fonts.conf \
+   ${BROWSER_DIR}/browser/fontconfig/fonts.conf
+   ${INSTALL_DATA_DIR} ${BROWSER_DIR}/browser/fonts
+   cp ${WRKSRC}/tor-browser_en-US/Browser/fonts/* \
+   ${BROWSER_DIR}/browser/fonts
+
+   # install wrapper script (remove symlink first)
+   rm ${PREFIX}/bin/${BROWSER_NAME}
+   ${SUBST_PROGRAM} ${FILESDIR}/${BROWSER_NAME} \
+   ${PREFIX}/bin/${BROWSER_NAME}
 
 .include 
Index: browser/distinfo
===
RCS file: /cvs/ports/www/tor-browser/browser/distinfo,v
retrieving revision 1.22
diff -u -p -r1.22 distinfo
--- browser/distinfo9 Apr 2020 21:15:29 -   1.22
+++ browser/distinfo13 Apr 2020 15:06:20 -
@@ -1,4 +1,6 @@
 SHA256 (mozilla/src-firefox-tor-browser-68.7.0esr-9.0-2-build1.tar.xz) = 
3paD2CYF+AUbO1xO0rAIHXSFqSGQeJmpJzg6F3/I+vg=
 SHA256 (mozilla/src-tor-launcher-0.2.20.5.tar.xz) = 
LVEbHAxcGf49cC8NF4bVYfFD7k2GA8SX+f+VA5p7L4U=
+SHA256 (mozilla/tor-browser-linux64-9.0.9_en-US.tar.xz) = 
z5ELlXfclLz+72D+mQTn+PKSd78ac2BgDDKVYiXQRHM=
 SIZE (mozilla/src-firefox-tor-browser-68.7.0esr-9.0-2-build1.tar.xz) = 
348594032
 SIZE (mozilla/src-tor-launcher-0.2.20.5.tar.xz) = 210916
+SIZE (mozilla/tor-browser-linux64-9.0.9_en-US.tar.xz) = 80156396
Index: 

Re: Tor Browser font fingerprinting defense

[Stuart Henderson]

On 2020/04/12 20:36, Caspar Schutijser wrote:
> On Fri, Apr 10, 2020 at 09:24:31PM +0200, Caspar Schutijser wrote:
> > Below is a WIP diff that makes font fingerprinting defense work in
> > our port of Tor Browser.
> 
> Thanks for your feedback from both of you. I incorporated sthen@'s
> feedback in the diff below (and besides that there's some fixes and
> cleanup compared to the previous diff).
> 
> I haven't received any test reports yet but as far as I can see, this
> diff works as advertised. Further feedback is welcome, of course.

Could you change how the js change is done please, normally patches are
a better idea for non-bulk changes like this, but it results in a line
containing UTF-8 in the patch context which I think is likely to cause
some future problems with sending/applying diffs - this should do the
trick:

sed -i 's/#ifdef XP_LINUX/#if defined(XP_LINUX) || 
defined(XP_OPENBSD)/' \
${WRKSRC}/browser/app/profile/000-tor-browser.js

Re: Tor Browser font fingerprinting defense

[Caspar Schutijser]

On Fri, Apr 10, 2020 at 09:24:31PM +0200, Caspar Schutijser wrote:
> Below is a WIP diff that makes font fingerprinting defense work in
> our port of Tor Browser.

Thanks for your feedback from both of you. I incorporated sthen@'s
feedback in the diff below (and besides that there's some fixes and
cleanup compared to the previous diff).

I haven't received any test reports yet but as far as I can see, this
diff works as advertised. Further feedback is welcome, of course.

Thanks,
Caspar Schutijser


Index: browser/Makefile
===
RCS file: /cvs/ports/www/tor-browser/browser/Makefile,v
retrieving revision 1.43
diff -u -p -r1.43 Makefile
--- browser/Makefile9 Apr 2020 21:15:29 -   1.43
+++ browser/Makefile12 Apr 2020 18:35:53 -
@@ -16,9 +16,12 @@ PATCHORIG =  .pat.orig
 
 PKGNAME =  ${TB_PREFIX}-browser-${TB_VERSION}
 DISTNAME = src-firefox-tor-browser-68.7.0esr-9.0-2-build1
+REVISION = 0
 
+FIX_EXTRACT_PERMISSIONS= Yes
 DISTFILES +=   ${DISTNAME}.tar.xz \
-   src-tor-launcher-${TL_VERSION}.tar.xz
+   src-tor-launcher-${TL_VERSION}.tar.xz \
+   tor-browser-linux64-${TB_VERSION}_en-US.tar.xz
 
 SO_VERSION =   5.0
 MOZILLA_LIBS = xul clearkey lgpllibs mozavcodec mozavutil mozgtk
@@ -99,6 +102,7 @@ CONFIGURE_ARGS +=--with-libclang-path=$
 CONFIGURE_ARGS +=  --with-clang-path=${LOCALBASE}/bin/clang
 
 post-extract:
+   mv ${WRKDIR}/tor-browser_en-US ${WRKSRC}
mv ${WRKDIR}/tor-launcher-${TL_VERSION}/ \
${WRKSRC}/browser/extensions/tor-launcher
 
@@ -114,9 +118,12 @@ post-patch:
${WRKSRC}/third_party/rust/bindgen/.cargo-checksum.json
 
 BROWSER_DIR = ${PREFIX}/lib/${BROWSER_NAME}
+TRUEBROWSER_DIR = ${TRUEPREFIX}/lib/${BROWSER_NAME}
 BROWSER_CFG = ${BROWSER_DIR}/${BROWSER_NAME}.cfg
 BROWSER_INI = ${BROWSER_DIR}/distribution/distribution.ini
 
+SUBST_VARS +=  TRUEBROWSER_DIR
+
 post-install:
# install prefs, bookmarks, app config file for Tor browser
${INSTALL_DATA_DIR} ${BROWSER_DIR}/browser/defaults/preferences
@@ -150,5 +157,19 @@ post-install:
${INSTALL_DATA_DIR} ${PREFIX}/share/${BROWSER_NAME}
${SUBST_DATA} ${FILESDIR}/torrc-defaults \
${PREFIX}/share/${BROWSER_NAME}/torrc-defaults
+
+   # install fonts.conf and fonts
+   ${INSTALL_DATA_DIR} ${BROWSER_DIR}/browser/fontconfig
+   ${SUBST_DATA} \
+   
${WRKSRC}/tor-browser_en-US/Browser/TorBrowser/Data/fontconfig/fonts.conf \
+   ${BROWSER_DIR}/browser/fontconfig/fonts.conf
+   ${INSTALL_DATA_DIR} ${BROWSER_DIR}/browser/fonts
+   cp ${WRKSRC}/tor-browser_en-US/Browser/fonts/* \
+   ${BROWSER_DIR}/browser/fonts
+
+   # install wrapper script (remove symlink first)
+   rm ${PREFIX}/bin/${BROWSER_NAME}
+   ${SUBST_PROGRAM} ${FILESDIR}/${BROWSER_NAME} \
+   ${PREFIX}/bin/${BROWSER_NAME}
 
 .include 
Index: browser/distinfo
===
RCS file: /cvs/ports/www/tor-browser/browser/distinfo,v
retrieving revision 1.22
diff -u -p -r1.22 distinfo
--- browser/distinfo9 Apr 2020 21:15:29 -   1.22
+++ browser/distinfo12 Apr 2020 18:35:53 -
@@ -1,4 +1,6 @@
 SHA256 (mozilla/src-firefox-tor-browser-68.7.0esr-9.0-2-build1.tar.xz) = 
3paD2CYF+AUbO1xO0rAIHXSFqSGQeJmpJzg6F3/I+vg=
 SHA256 (mozilla/src-tor-launcher-0.2.20.5.tar.xz) = 
LVEbHAxcGf49cC8NF4bVYfFD7k2GA8SX+f+VA5p7L4U=
+SHA256 (mozilla/tor-browser-linux64-9.0.9_en-US.tar.xz) = 
z5ELlXfclLz+72D+mQTn+PKSd78ac2BgDDKVYiXQRHM=
 SIZE (mozilla/src-firefox-tor-browser-68.7.0esr-9.0-2-build1.tar.xz) = 
348594032
 SIZE (mozilla/src-tor-launcher-0.2.20.5.tar.xz) = 210916
+SIZE (mozilla/tor-browser-linux64-9.0.9_en-US.tar.xz) = 80156396
Index: browser/files/tor-browser
===
RCS file: browser/files/tor-browser
diff -N browser/files/tor-browser
--- /dev/null   1 Jan 1970 00:00:00 -
+++ browser/files/tor-browser   12 Apr 2020 18:35:53 -
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+export FONTCONFIG_PATH="${TRUEBROWSER_DIR}/browser/fontconfig/"
+export FONTCONFIG_FILE="fonts.conf"
+
+exec ${TRUEBROWSER_DIR}/${BROWSER_NAME} ${@}
Index: browser/patches/patch-browser_app_profile_000-tor-browser_js
===
RCS file: browser/patches/patch-browser_app_profile_000-tor-browser_js
diff -N browser/patches/patch-browser_app_profile_000-tor-browser_js
--- /dev/null   1 Jan 1970 00:00:00 -
+++ browser/patches/patch-browser_app_profile_000-tor-browser_js12 Apr 
2020 18:35:53 -
@@ -0,0 +1,16 @@
+$OpenBSD$
+
+Required to make font fingerprinting defenses work.
+
+Index: browser/app/profile/000-tor-browser.js
+--- 

Re: Tor Browser font fingerprinting defense

[Stuart Henderson]

On 2020/04/10 21:24, Caspar Schutijser wrote:
> Ports-wise, it looks a bit silly. And also, since this extra distfile
> does not end up in WRKSRC, it is not straightforward to patch
> fonts.conf, which we need to do (for now I use sed -i in the
> post-install target).
> 
> ports@, do you have any suggestions on how to improve this?

mv it in post-extract.

Re: Tor Browser font fingerprinting defense

[Theo de Raadt]

Caspar Schutijser  wrote:

> p.s. This makes me wonder whether there are other features that don't
> work on OpenBSD.. I'm planning to look into that at some point. In the
> meantime, should we warn users about this?

Warn the software comes without a warranty?  Or any actual claim that it
actually does what they think it does?

Tor Browser font fingerprinting defense

[Caspar Schutijser]

Hi,

On Sat, Mar 14, 2020 at 11:45:13AM -, Bronze Alibi wrote:
> (tested on current with the provided package and nothing else installed)  
> 
> It looks like the  Font
> fingerprinting defenses from upstream don't work in the OpenBSD port.  
> 
> When checking for the fingerprint on one of the websites that do such a thing,
> it seems like the installed fonts property is not uniform with tor browser on
> other platforms, but instead unique to OpenBSD and this port. It lists some
> specific proprietary font names (including Helvetica, which I would assume we
> don't ship in base, but some free replacement) and therefore makes users of
> the OpenBSD tor browser distinct from every other tor browser user.  
> 
> This is a bug.  

Below is a WIP diff that makes font fingerprinting defense work in
our port of Tor Browser.

Bronze Alibi, can you test this to see if it does what you expect?


Tor Browser achieves fingerprinting prevention by shipping its own set
of fonts and then configuring fontconfig to use only those fonts. The
selection of fonts is not shipped in some "normal" distfile, however.
One way to stay in sync anyway is to take the packaged Linux version
of Tor Browser and use the fonts and fonts.conf that are shipped there.
That's what I did with this diff.

Ports-wise, it looks a bit silly. And also, since this extra distfile
does not end up in WRKSRC, it is not straightforward to patch
fonts.conf, which we need to do (for now I use sed -i in the
post-install target).

ports@, do you have any suggestions on how to improve this? One
solution I could think of is to make a separate port, for example
www/tor-browser/fonts, which takes care of shipping the fonts and
fonts.conf. But not sure whether that's the best way to go.

Thanks,
Caspar Schutijser

p.s. This makes me wonder whether there are other features that don't
work on OpenBSD.. I'm planning to look into that at some point. In the
meantime, should we warn users about this?


Index: browser/Makefile
===
RCS file: /cvs/ports/www/tor-browser/browser/Makefile,v
retrieving revision 1.43
diff -u -p -r1.43 Makefile
--- browser/Makefile9 Apr 2020 21:15:29 -   1.43
+++ browser/Makefile10 Apr 2020 19:23:00 -
@@ -16,9 +16,12 @@ PATCHORIG =  .pat.orig
 
 PKGNAME =  ${TB_PREFIX}-browser-${TB_VERSION}
 DISTNAME = src-firefox-tor-browser-68.7.0esr-9.0-2-build1
+REVISION = 0
 
+FIX_EXTRACT_PERMISSIONS= Yes
 DISTFILES +=   ${DISTNAME}.tar.xz \
-   src-tor-launcher-${TL_VERSION}.tar.xz
+   src-tor-launcher-${TL_VERSION}.tar.xz \
+   tor-browser-linux64-${TB_VERSION}_en-US.tar.xz
 
 SO_VERSION =   5.0
 MOZILLA_LIBS = xul clearkey lgpllibs mozavcodec mozavutil mozgtk
@@ -114,9 +117,12 @@ post-patch:
${WRKSRC}/third_party/rust/bindgen/.cargo-checksum.json
 
 BROWSER_DIR = ${PREFIX}/lib/${BROWSER_NAME}
+TRUEBROWSER_DIR = ${TRUEPREFIX}/lib/${BROWSER_NAME}
 BROWSER_CFG = ${BROWSER_DIR}/${BROWSER_NAME}.cfg
 BROWSER_INI = ${BROWSER_DIR}/distribution/distribution.ini
 
+SUBST_VARS +=  TRUEBROWSER_DIR
+
 post-install:
# install prefs, bookmarks, app config file for Tor browser
${INSTALL_DATA_DIR} ${BROWSER_DIR}/browser/defaults/preferences
@@ -150,5 +156,23 @@ post-install:
${INSTALL_DATA_DIR} ${PREFIX}/share/${BROWSER_NAME}
${SUBST_DATA} ${FILESDIR}/torrc-defaults \
${PREFIX}/share/${BROWSER_NAME}/torrc-defaults
+
+   # install fonts and fonts.conf
+   ${INSTALL_DATA_DIR} ${BROWSER_DIR}/browser/fontconfig
+   ${INSTALL_DATA} \
+   
${WRKDIR}/tor-browser_en-US/Browser/TorBrowser/Data/fontconfig/fonts.conf \
+   ${BROWSER_DIR}/browser/fontconfig/fonts.conf
+   # XXX We should patch the path to the fonts directory instead of
+   # substituting it like this. But the file is not in WRKSRC so
+   # make update-patches does not pick up any patches there. What to do?
+   sed -i "s,fonts,${BROWSER_DIR}/browser/fonts," \
+   ${BROWSER_DIR}/browser/fontconfig/fonts.conf
+   ${INSTALL_DATA_DIR} ${BROWSER_DIR}/browser/fonts
+   cp ${WRKDIR}/tor-browser_en-US/Browser/fonts/* 
${BROWSER_DIR}/browser/fonts
+
+   # install wrapper script (remove symlink first)
+   rm ${PREFIX}/bin/${BROWSER_NAME}
+   ${SUBST_PROGRAM} ${FILESDIR}/${BROWSER_NAME} \
+   ${PREFIX}/bin/${BROWSER_NAME}
 
 .include 
Index: browser/distinfo
===
RCS file: /cvs/ports/www/tor-browser/browser/distinfo,v
retrieving revision 1.22
diff -u -p -r1.22 distinfo
--- browser/distinfo9 Apr 2020 21:15:29 -   1.22
+++ browser/distinfo10 Apr 2020 19:23:00 -
@@ -1,4 +1,6 @@
 SHA256