subject:"\[tor\-bugs\] #13018 \[Applications\/Tor Browser\]\: Math routines are OS fingerprintable"

Re: [tor-bugs] #13018 [Applications/Tor Browser]: Math routines are OS fingerprintable

2019-05-18 Thread Tor Bug Tracker & Wiki

#13018: Math routines are OS fingerprintable
-+-
 Reporter:  mikeperry|  Owner:  tbb-
 |  team
 Type:  defect   | Status:  new
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-fingerprinting-os-version,   |  Actual Points:
  ff31-esr   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by Thorin):

 I have done more testing, and improved the output in my test: including a
 red info if I haven't seen the hash before. I have now found that TB on
 Linux actually has more entropy than originally thought. After testing 5
 distros (a mix of flavors and architecture) I have 3 distinct Linux
 buckets (it's not enough to distinguish the actual platform, at least not
 in all cases, yet). I will be adding more distros to investigate further.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #13018 [Applications/Tor Browser]: Math routines are OS fingerprintable

2019-04-22 Thread Tor Bug Tracker & Wiki

#13018: Math routines are OS fingerprintable
-+-
 Reporter:  mikeperry|  Owner:  tbb-
 |  team
 Type:  defect   | Status:  new
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-fingerprinting-os-version,   |  Actual Points:
  ff31-esr   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by Thorin):

 Replying to [comment:31 cypherpunks]:
 > Why isn't https://bugzilla.mozilla.org/show_bug.cgi?id=531915 added to
 RFP?

 Alrighty! I've been trying to re-find that ticket for quite a few weeks.
 Used it many months ago and promptly lost it. Thanks. I will pass on the
 ticket number to the Tor Uplift guys

 > it's possible to detect some distros such way

 Comment 18 was 5 years ago. So far, and my resources are limited (and as
 an upstream problem means more than Tor Browser, which already changes
 their math FP), I have found nothing so far that leaks anything more than
 major platform (win/linux/mac) and in some instances 32/64 bit builds or
 OS architecture (some by default: eg a 64 bit build must be on a 64bit
 OS).

 I wanted to get a ticket at bugzilla opened. I have no idea how much work
 or complexity and potential issues lie with using the same libraries over
 all platforms (which is what Chrome seems to be doing: they have the same
 FP regardless of anything I test on).

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #13018 [Applications/Tor Browser]: Math routines are OS fingerprintable

2019-04-21 Thread Tor Bug Tracker & Wiki

#13018: Math routines are OS fingerprintable
-+-
 Reporter:  mikeperry|  Owner:  tbb-
 |  team
 Type:  defect   | Status:  new
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-fingerprinting-os-version,   |  Actual Points:
  ff31-esr   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by cypherpunks):

 Replying to [comment:18 cypherpunks]:
 > > Detected platform for Tor Browser
 > For Linux it depends run-time environment (libm system library), it's
 possible to detect some distros such way.
 Why isn't https://bugzilla.mozilla.org/show_bug.cgi?id=531915 added to
 RFP?
 > Windows depends compile-time environment (mingw).
 
https://sourceforge.net/p/mingw-w64/mingw-w64/ci/c61763cc740f8f4986755eeafce832baa3655ee8/

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #13018 [Applications/Tor Browser]: Math routines are OS fingerprintable

2019-04-16 Thread Tor Bug Tracker & Wiki

#13018: Math routines are OS fingerprintable
-+-
 Reporter:  mikeperry|  Owner:  tbb-
 |  team
 Type:  defect   | Status:  new
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-fingerprinting-os-version,   |  Actual Points:
  ff31-esr   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by Thorin):

 FYI: https://bugzilla.mozilla.org/show_bug.cgi?id=1380031 (FF68+)
 introduced a change (over my head) that reduced some entropy (namely that
 of precision in the number of decimal places), but not enough to affect
 overall FP'ing of 32 vs 64 builds and platforms

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #13018 [Applications/Tor Browser]: Math routines are OS fingerprintable

2019-03-20 Thread Tor Bug Tracker & Wiki

#13018: Math routines are OS fingerprintable
-+-
 Reporter:  mikeperry|  Owner:  tbb-
 |  team
 Type:  defect   | Status:  new
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-fingerprinting-os-version,   |  Actual Points:
  ff31-esr   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by cypherpunks):

 tom: could ff use standard cbrt() instead of awful custom implementation?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #13018 [Applications/Tor Browser]: Math routines are OS fingerprintable

2019-03-20 Thread Tor Bug Tracker & Wiki

#13018: Math routines are OS fingerprintable
-+-
 Reporter:  mikeperry|  Owner:  tbb-
 |  team
 Type:  defect   | Status:  new
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-fingerprinting-os-version,   |  Actual Points:
  ff31-esr   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by tom):

 I was worried that we might be exposing hardware information via this.

 I compared the numbers I got on my x64 Nightly running on a Surface Go and
 got the same results as those of Thorin's Win7/Win10 x64 on x64 here:
 https://github.com/ghacksuserjs/TorZillaPrint/issues/30 .  I'm reasonably
 convinced this means that hardware is not a factor in these values, and it
 comes down to OS and related libraries.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #13018 [Applications/Tor Browser]: Math routines are OS fingerprintable

2019-02-25 Thread Tor Bug Tracker & Wiki

#13018: Math routines are OS fingerprintable
-+-
 Reporter:  mikeperry|  Owner:  tbb-
 |  team
 Type:  defect   | Status:  new
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-fingerprinting-os-version,   |  Actual Points:
  ff31-esr   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by Thorin):

 * Attachment "cos-results.png" added.

 some more recent relevant results

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #13018 [Applications/Tor Browser]: Math routines are OS fingerprintable

2019-02-25 Thread Tor Bug Tracker & Wiki

#13018: Math routines are OS fingerprintable
-+-
 Reporter:  mikeperry|  Owner:  tbb-
 |  team
 Type:  defect   | Status:  new
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-fingerprinting-os-version,   |  Actual Points:
  ff31-esr   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by gk):

 * cc: Thorin (added)


Comment:

 From #29566 (which I closed as duplicate):
 {{{

 **part2: math.cos Windows: FF vs TB**

 results: see attachment
 test: https://thorin-oakenpants.github.io/testing/ (for as long as I leave
 it there)

 I do not know if that ticket/patch causes this, but there is a difference
 between TB vs FF for no discernible reason (e.g Linux doesn't differ
 between FF and TB)

 Look at the first result. FF: `minus 0.374...` vs TB `plus 0.840...`

 **part3: math.cos reveals platform**

 finally, to the meat and potatoes. See attachment. I'm using math.cos
 because it always returns a value between -1 and 1 (i.e no NaN or
 Infinity). The following tests show that, so far, the last four values can
 be used to detect windows or Linux, and so far one Android major version
 (v5.*). I am fully expecting the first four value to betray other Android
 and macOS/macOS X. My testing is incomplete, but enough to prove os FP'ing
 }}}
 and
 {{{
 Thanks :) Yup, that was the ticket. Wow, 4 years. That ticket is about the
 functions added in FF25+ - e.g like those in
 https://ghacksuserjs.github.io/TorZillaPrint/TorZillaPrint.html#math -
 which doesn't **seem** to differ in 60+ anyway (those FF25+ functions
 probably need more testing I guess)

 Also note, that sin() can also have differences, I'm just not sure on
 which values over which platforms produce the desired results (and I could
 probably find more functions) - I'm sure the solution for this would fix
 any functions, so I'm not going to dig any further (except to show combos
 for mac and other android versions using cos)

 Edit: https://developer.mozilla.org/en-
 US/docs/Web/JavaScript/Reference/Global_Objects/Math#Browser_compatibility
 - `cos`, `sin` etc were FF version 1 compatible
 }}}

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #13018 [Applications/Tor Browser]: Math routines are OS fingerprintable

2017-03-13 Thread Tor Bug Tracker & Wiki

#13018: Math routines are OS fingerprintable
-+-
 Reporter:  mikeperry|  Owner:  tbb-
 |  team
 Type:  defect   | Status:  new
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-fingerprinting-os-version,   |  Actual Points:
  ff31-esr   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by yawning):

 A few notes:

  * A quick check with the browser console gives me the impression that
 simple JS math expressions are evaluated with 64 bit intermediaries (as
 opposed to 80 bit).  I am uncertain about the JS JIT behavior.  `(1.0 +
 Number.EPSILON * 0.5) + Number.EPSILON * 0.5`)

  * Assuming calls are made to libm (or equivalent) blindly, the results on
 each system are library version and implementation dependent.  A
 particularly egregious example would be the output of `double sin(double
 x);` being flat out wrong for glibc < 2.19 for certain values.  MS's VC++
 runtime is less wrong for a different set of certain values, but is still
 wrong.  This probably applies to most transcendental functions.

  * Even if we fix the JS that calls into libm, higher level apis that just
 happen to do math are not guaranteed to give the correct results,
 depending on how the native code it's called into is written or built.  If
 we can assume that x87 is never used at all, then we'd still need to check
 for things like ` rsqrtss`.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #13018 [Applications/Tor Browser]: Math routines are OS fingerprintable

2016-08-08 Thread Tor Bug Tracker & Wiki

#13018: Math routines are OS fingerprintable
-+-
 Reporter:  mikeperry|  Owner:  tbb-
 |  team
 Type:  defect   | Status:  new
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-fingerprinting-os-version,   |  Actual Points:
  ff31-esr   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by gk):

 * keywords:  tbb-fingerprinting-os-version, tbb-easy, ff31-esr => tbb-
 fingerprinting-os-version, ff31-esr


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #13018 [Applications/Tor Browser]: Math routines are OS fingerprintable

2016-05-30 Thread Tor Bug Tracker & Wiki

#13018: Math routines are OS fingerprintable
-+-
 Reporter:  mikeperry|  Owner:  tbb-
 Type:  defect   |  team
 Priority:  Medium   | Status:  new
Component:  Applications/Tor Browser |  Milestone:
 Severity:  Normal   |Version:
 Keywords:  tbb-fingerprinting-os-version, tbb-  | Resolution:
  easy, ff31-esr |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by mikeperry):

 This may also be the cause of the fingerprintability of the WebAudio stuff
 in #13017 (or at least part of that fingerprintability). See
 https://trac.torproject.org/projects/tor/ticket/13017#comment:27 for a
 useful test.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #13018 [Applications/Tor Browser]: Math routines are OS fingerprintable

2016-05-29 Thread Tor Bug Tracker & Wiki

#13018: Math routines are OS fingerprintable
-+-
 Reporter:  mikeperry|  Owner:  tbb-
 Type:  defect   |  team
 Priority:  Medium   | Status:  new
Component:  Applications/Tor Browser |  Milestone:
 Severity:  Normal   |Version:
 Keywords:  tbb-fingerprinting-os-version, tbb-  | Resolution:
  easy, ff31-esr |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by arthuredelstein):

 * severity:   => Normal


Comment:

 Here's a very interesting overview of sources of floating-point
 inconsistencies:
 https://randomascii.wordpress.com/2013/07/16/floating-point-determinism/

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #13018 [Applications/Tor Browser]: Math routines are OS fingerprintable

Re: [tor-bugs] #13018 [Applications/Tor Browser]: Math routines are OS fingerprintable

Re: [tor-bugs] #13018 [Applications/Tor Browser]: Math routines are OS fingerprintable

Re: [tor-bugs] #13018 [Applications/Tor Browser]: Math routines are OS fingerprintable

Re: [tor-bugs] #13018 [Applications/Tor Browser]: Math routines are OS fingerprintable

Re: [tor-bugs] #13018 [Applications/Tor Browser]: Math routines are OS fingerprintable

Re: [tor-bugs] #13018 [Applications/Tor Browser]: Math routines are OS fingerprintable

Re: [tor-bugs] #13018 [Applications/Tor Browser]: Math routines are OS fingerprintable

Re: [tor-bugs] #13018 [Applications/Tor Browser]: Math routines are OS fingerprintable

Re: [tor-bugs] #13018 [Applications/Tor Browser]: Math routines are OS fingerprintable

Re: [tor-bugs] #13018 [Applications/Tor Browser]: Math routines are OS fingerprintable

Re: [tor-bugs] #13018 [Applications/Tor Browser]: Math routines are OS fingerprintable

12 matches

Site Navigation

Mail list logo

Footer information