Dr. Neal Krawetz, self-proclaimed security specialist and forensic researcher, took to his personal blog to publicize three low-level vulnerabilities in the Tor browser bundle. Upon first read of that sentence, one might wonder why Dr. Krawetz used his personal blog instead of the proper channels. That, it seemed, was a majorly frustrating element for the researcher: that “official” channels rarely elicited a response at all.

Based on his post that summarized three vulnerabilities in the Tor browser, one might consider lack of communication between the Tor Project and (at least in this case) security researchers a vulnerability of its own. A quick read of some of his posts revealed that the researcher had a complicated relationship with the Tor project and the Tor Browser itself. But, it also showed that he was not in experienced in the world of anonymity and privacy on the internet. Despite some of the fundamental differences between his blog, The Hacker Factor (Blog) and DeepDotWeb, Dr. Krawetz raised concerns that were undeniably relevant to any Tor user.

Here, he explained the difficulties he faced when he attempted contact with anyone (other than the official Twitter account users) at the Tor Project.

Over the last few years, I’ve tried to report some of these profiling methods (and solutions) to the Tor Project, but each time has resulted in failure. Often, my attempts to report a vulnerability or profiling risk has been met with silence. However, I’ll take silence over intentional ignorance. For example, exposing a risk on the TOR channel on Reddit often ends with people attempting to explain to me how a risk isn’t a risk. Here’s a helpful hint: if I can identify anything about you — beyond “you’re using the TOR browser”, then it’s a risk to your privacy. Any information disclosure defeats the purpose of trying to look like everyone else.”

The privacy concerns outlined by Dr. Krawetz fell under the “fingerprinting” section of de-anonymity. A brief explanation: the Tor browser, first and foremost, protects an IP address from being used (against you) as an identifying measure. Everybody using Tor should look the same as someone else using Tor. More on that in our Security Tutorials. Fingerprinting, if you will, usually translates into a seemingly non-critical data leak that, over time, can single out a user amongst hordes of others—even if they all look the same. Even Mozilla worked on Tor-like fingerprinting countermeasures in Firefox itself

Security enthusiast Jose Carlos Norte explained the term far better than I could:

One common problem that tor browser tries to address is user fingerprinting. If a website is able to generate a unique fingerprint that identifies each user that enters the page, then it is possible to track the activity of this user in time, for example, correlate visits of the user during an entire year, knowing that it’s the same user.” (Norte, 2016)

The first of the fingerprinting issues outlined by Dr. Krawetz was about window and screen size. Since computers and mobile devices come with screens of all sizes, the Tor browser reports a fake value: that the screen and window are the same size. If a window size and a screen size are the same, “JavaScript can immediately detect the TOR-Browser.”

Dr. Krawetz’s fix: make the Tor browser always report that the client uses a screen with a size larger than that of the open window.

The second problem, another screen issue, only impacted MacOS users. (Or mainly MacOS.) The browser sometimes incorrectly calculated the screen size and thus recalculated the standard window size—a consistent 1000×1000. “[I]f the screen is smaller than that, then it will choose a width that is a multiple of 200 pixels, and a height that is a multiple of 100 pixels.”

He explained that this issue was inconsistent but was “fixed” upon removal of the dock. And therefore, the researcher explained, the Tor browser revealed whether or not a user ran Tor on Mac OS.

Dr. Krawetz’s fix: correctly calculate the screen size.

And the third issue is with the scrollbar. Different operating systems use different width scrollbars. The Tor browser makes attempts to keep everybody looking the same with respect to the screen and/or window size. But, “if scrollbars are displayed, then the Viewport Size can be subtracted from the Window Size in order to find the thickness of the scrollbars.”

Thanks to his research, we know the specifics:

  • Tor on Mac OS uses 15 pixels of the window size.
  • Tor on modern Windows uses 17 pixels.
  • Tor on Linux allows an even more specific identification. “The thickness depends on the Linux variant and desktop platform, like Gnome or KDE.” 10 pixels on Linux Mint with Gtk-3.0. 13 for Ubuntu 16.04 with Gnome.
  • And unofficial Tor browsers for mobile use zero pixels.

Dr. Krawetz’s fix: instead of pulling the true scrollbar value, have the Tor browser report a fake one. He suggested a value of 17 pixels—the size from the most prevalent operating system in existence, Windows.

For DeepDotWeb readers, the fix, not from Dr. Krawetz: turn off JavaScript.


Please enter your comment!
Please enter your name here

9 + 9 =