TechPulseTechPulse
Back to News
Advertisement
Advertisement

⚡ Community Insights

Discussion Sentiment

58% Positive

Analyzed from 2006 words in the discussion.

Trending Topics

#qubes#browser#tor#users#hardware#fingerprinting#fingerprint#why#web#different

Discussion (61 Comments)Read Original on HackerNews

lpapezabout 2 hours ago
Very cool research and wonderfully written.

I was expecting an ad for their product somewhere towards the end, but it wasn't there!

I do wonder though: why would this company report this vulnerability to Mozilla if their product is fingeprinting?

Isn't it better for the business (albeit unethical) to keep the vulnerability private, to differentiate from the competitors? For example, I don't see many threat actors burning their zero days through responsible disclosure!

valve1about 2 hours ago
We don't use vulnerabilities in our products.
mtlynchabout 2 hours ago
I don't understand what you mean. What separates this from other fingerprinting techniques your company monetizes?

No software wants to be fingerprinted. If it did, it would offer an API with a stable identifier. All fingerprinting is exploiting unintended behavior of the target software or hardware.

giancarlostoroabout 2 hours ago
It makes sense to me, they're likely not trying to actually fingerprint Tor users. Those users will likely ignore ads, have JS disabled, etc. the real audience is people on the web using normal tooling.
sodality2about 1 hour ago
Side channels that enable intended behavior, versus a flat-out bug like the above, though the line can often be muddied by perspective.

An example that comes to mind that I've seen is an anonymous app that allows for blocking users; you can programmatically block users, query all posts, and diff the sets to identify stable identities. However, the ability to block users is desired by the app developers; they just may not have intended this behavior, but there's no immediate solution to this. This is different than 'user_id' simply being returned in the API for no reason, which is a vulnerability. Then there's maybe a case of the user_id being returned in the API for some reason that MIGHT be important too, but that could be implemented another way more sensibly; this leans more towards vulnerability.

Ultimately most fingerprinting technologies use features that are intended behavior; Canvas/font rendering is useful for some web features (and the web target means you have to support a LOT of use cases), IP address/cookies/useragent obviously are useful, etc (though there's some case to be made about Google's pushing for these features as an advertising company!).

subscribed44 minutes ago
Iffy vs grossly unethical.
NoahZunigaabout 1 hour ago
The real reason is that fingerprint.com's selling point is tracking over longer periods (months, their website claims), and this doesn't help them with that.
lyu07282about 2 hours ago
So it's the criminal that convinced themselves they are the good guys, I didn't expect that one. You are a malware company get a grip.
celsoazevedoabout 1 hour ago
Would you prefer that they kept this for themselves instead of disclosing it?

I get criticizing their business and what they do wrong, but doesn't seem right to criticizing them for doing the right thing.

hrimfaxiabout 2 hours ago
They probably are not relying on it and disclosure means others can't either.
firefax19 minutes ago
The OP's link is timing out over Tor for me, but the Wayback[1] version loaded without issue.

Also, does anyone know of any researchers in the academic world focusing on this issue? We are aware that EFF has a project that used to be named after a pedophile on this subject, but we are more looking for professors at universities or pure research labs ala MSR or PARC than activists working for NGOs, however pure their praxis :-)

As privacy geeks, we have become fascinated with the topic -- it seems that while we can achieve security through extensions like noscript or ublock origin or firefox containers (our personal "holy trinity"), anonymity slips through our fingers due to fingerprinting issues. (Especially if we lump stylometry in the big bucket of "fingerprinting".)

[1] https://web.archive.org/web/20260422190706/https://fingerpri...

SirMasterabout 1 hour ago
I question why websites can even access all this info without asking or notifying the user.

Why don't browsers make it like phones where the server (app) has to be granted permission to access stuff?

t-343 minutes ago
The most popular browser is made by an ad company. They also provide the majority of funding for their biggest competitor. Why would you expect anything different?
Barbing38 minutes ago
>Why don't browsers make it like phones where the server (app) has to be granted permission to access stuff?

Like Android phones perhaps? Unfortunate Apple gives very little granular control.

subscribed23 minutes ago
Hah. It's still better than apps.

Apps have access to inconceivable amounts of identifiers and device characteristics, even on the well protected systems without Google Play services.

kingstnap37 minutes ago
I mean Google ain't paying for Chromium development just for the fun of it...
bawolffabout 2 hours ago
From the sounds of this it sounds like it doesn't persist past browser restart? I think that would significantly reduce the usefulness to attackers.
piccirelloabout 1 hour ago
This excerpt from the article describes the risk well.

> In Firefox Private Browsing mode, the identifier can also persist after all private windows are closed, as long as the Firefox process remains running. In Tor Browser, the stable identifier persists even through the "New Identity" feature, which is designed to be a full reset that clears cookies and browser history and uses new Tor circuits.

warkdarriorabout 1 hour ago
This is where you use id bridging.

1. Website fingerprints the browser, stores a cookie with an ID and a fingerprint.

2. During the next session, it fingerprints again and compares with the cookie. If fingerprint changed, notify server about old and new fingerprint.

mmoossabout 1 hour ago
Many users leave their browsers open for months.
shevy-javaabout 2 hours ago
Would it though? I guess state agencies already know all nodes or may know all nodes. When you have a ton of meta-information all cross-linked, they can probably identify people quite accurately; may not even need 100% accuracy at all times and could do with less. I was thinking about that when they used information from any surrounding area or even sniffing through walls (I think? I don't quite recall the article but wasn't there an article like that in the last 3-5 years? The idea is to amass as much information as possible, even if it may not primarily have to do with solely the target user alone; e. g. I would call it "identify via proxy information").
Barbing35 minutes ago
> I guess state agencies already know all nodes or may know all nodes.

Assume the same.

>The idea is to amass as much information as possible

Reminded, from 2012: https://www.wired.com/2012/03/ff-nsadatacenter/

Menethabout 1 hour ago
I'm confused.

The IndexedDB UUID is "shared across all origins", so why not use the contents of the database to identify browers, rather than the ordering?

nneonneoabout 1 hour ago
There's an instructive example on the page. Suppose a page creates the databases `a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p`, then queries their order. They might get, for example `g,c,p,a,l,f,n,d,j,b,o,h,e,m,i,k`, based on the global mapping of database names to UUIDs.

The key vulnerability here is that, for the lifetime of that Firefox process, any website that makes that set of databases is going to see the exact same output ordering, no matter what the contents of those databases are. That makes this a fingerprint: it's a stable, high-entropy identifier that persists across time, even if the contents of those databases are not preserved. It is shared even across origins (where the contents would not be), and preserved after website data is deleted -- all a website has to do to re-acquire the fingerprint is recreate the databases with the same names and observe their ordering.

lxgrabout 1 hour ago
The content is obviously scoped to an origin, or IndexedDB would be a trivial evercookie.
AgentMEabout 1 hour ago
It's the mapping of UUIDs to databases that is shared across origins in the browser. Only the subset of databases associated with an origin are exposed to that origin.
sva_about 2 hours ago
Does Tor Browser still allow JavaScript by default? Because if you block execution of JavaScript, you won't be affected from what I understand.
ranger_dangerabout 2 hours ago
Disabling JavaScript actually greatly increases your fingerprint as not many users turn it off, so that instantly puts you in a much smaller bucket that you need to be unique in. Yes, not having JS means it limits your options for gathering other details, but it also requires much less effort to be unique now without JS.

Tor Browser also doesn't spoof navigator.platform at all for some reason, so sites can still see when you use Linux, even if the User-Agent is spoofing Windows.

Springtimeabout 2 hours ago
> Disabling JavaScript actually greatly increases your fingerprint as not many users turn it off, so that instantly puts you in a much smaller bucket that you need to be unique in.

I've heard a handful of people say this but are there examples of what I would imagine would have to be server-side fingerprinting and the granularity? Since most fingerprinting I'm aware of is client-side, running via JS. While I expect server-side checks to be limited to things like which resources haven't be loaded by a particular user and anything else normally available via server logs either way, which could limit the pool but I wonder how effective in terms of tracking uniqueness across sites.

throwawayqqq11about 2 hours ago
I have my problems with that argument. Yes, less identifying bits means a smaller bucket but for the trackers, it also means more uncertainty, doesnt it? So when just a few others without JS join your bucket eg. via a VPN, profiling should become harder.
hypeateiabout 1 hour ago
> increases your fingerprint as not many users turn it off

We're talking about users of the Tor browser, and I'd be very surprised if this was the case (that a majority keep JS turned on)

Basically every Tor guide (heh) tells you to turn it off because it's a huge vector for all types of attacks. Most onion sites have captcha systems that work without JS too which would indicate that they expect a majority to have it disabled.

codedokodeabout 1 hour ago
Honestly it seems that most of Web Standards are used mostly for fingerprinting - I think a small number of websites uses IndexedDB (who even needs it) for actually storing data rather than fingerprinting.

That's why expansion of web standards is wrong. Browser should provide minimal APIs for interacting with device and features like IndexedDB can be implemented as WebAssembly library, leaking no valuable data.

For example, if canvas provided only access to picture buffer, and no drawing routines calling into platform-specific libraries, it would become useless for fingerprinting.

Dwedit40 minutes ago
You can use a browser extension like "Local Storage Editor" to see the contents of the Local Storage of a website. So far, I've seen it used for caching long-life images (like on gmail), or used as another way to do logins instead of cookies.
crazysimabout 2 hours ago
I would imagine most users of Tor are using Tor Browser. I am reading there was a responsible disclosure to Mozilla but is it me or did that section leave out when the Tor Project planned to respond or release a fixed Tor Browser? Do they like keep very close or is there a large lag?
flotzamabout 2 hours ago
Tor Browser is always quick to rebase on the latest Firefox ESR. They released an update the next day:

https://blog.torproject.org/new-release-tor-browser-15010/

anthkabout 1 hour ago
The best for Tor would just be Links2/Links+ with the socks4a proxy set to 127.0.0.1:9050, enforcing all connection thru a proxy in the settings (mark the checkbox) and disabling cookies altogether.
sixothreeabout 1 hour ago
Would whonix fit that bill?
fsfloverabout 2 hours ago
It seems Qubes OS and Qubes-Whonix are not affected.
hrimfaxiabout 2 hours ago
How so? If you kept a disposable VM open and just created new identities in tor browser, how does Qubes mitigate the threat here?
fsfloverabout 2 hours ago
On Qubes, you do not create a new identity in the same VM. This would go against the Qubes approach to security/privacy. Using separate VMs for independent tasks is the whole point of using Qubes.
2ndorderthoughtabout 2 hours ago
In the last ten years has qubes moved on to support more hardware? Every 4 years I would try to use it only to find it didn't support any of my hardware.
handedness30 minutes ago
Qubes OS hardware support, while still far from perfect, is vastly better than it was ten years ago.

Joanna Rutkowska's understandable preference for older kernels had its advantages, but the current team is much more likely to ship somewhat newer kernels and I've been surprised by what hardware 4.3 has worked well on.

Beyond that, I'm currently running a kernel from late Feb/early Mar (6.19.5).

Driver support can still be an issue, and a Wi-Fi card that doesn't play nice with Linux in general is doing to be no different on Qubes OS.

Aachenabout 1 hour ago
We buy off the shelf laptops, not sure anyone ever checked that it can run Qubes specifically before trying to install it (I'm sure of at least one person: myself). Doesn't just about any x64 machine with hardware where drivers are available in standard kernels also work with Qubes? What have you bought that's not supported?
fsfloverabout 1 hour ago
Actually, it should work indeed, unless it lacks some Linux drivers or VT-d.
hrimfaxiabout 1 hour ago
No problems on framework laptop that I've run into at least.
orbital-decayabout 1 hour ago
Most hardware (especially GPUs) is hard to virtualize in a secure manner, which is the entire point of Qubes. People who use it typically buy compatible hardware.
fsfloverabout 1 hour ago
I would expect that most Qubes users (including myself) do not virtualize GPUs and use the CPU to render graphics outside of dom0.
fsfloverabout 1 hour ago
Tested hardware can be found here https://qubes-os.org/hcl. New hardware is being constantly added. If you plan to switch to Qubes, consider buying something from that list or, better, certified, or community-recommended hardware linked there.
ranger_dangerabout 2 hours ago
Source?
fsfloverabout 2 hours ago
Different VMs result in different identifiers.
LoganDarkabout 1 hour ago
> For developers, this is a useful reminder that privacy bugs do not always come from direct access to identifying data. Sometimes they come from deterministic exposure of internal implementation details.

> For security and product stakeholders, the key point is simple: even an API that appears harmless can become a cross-site tracking vector if it leaks stable process-level state.

This reads almost LLM-ish. The article on the whole does not appear so, but parts of it do.

Advertisement
shevy-javaabout 2 hours ago
Well that sucks. I guess in the long run we need a new engine and different approach. Someone should call the OpenBSD guys to come up with working ideas here.
giancarlostoroabout 2 hours ago
> Mozilla has quickly released the fix in Firefox 150 and ESR 140.10.0, and the patch is tracked in Mozilla Bug 2024220.

Did you even read the article at all? Ah my children did bad in school, time to replace them with new children and a different spouse. This is what you're suggesting essentially. A browser is not just something you simply make out of thin air. There's decades of nuance to browser engines, and I'm only thinking of the HTML nuances, not the CSS or JS nuances.

anthkabout 1 hour ago
Given the dangers of JS and WASM they could just fork Netsurf and enhance the CSS3 support. If you are a journalist, running Tor with JS and tons of modern web tech enable makes you a bright white spot in a sea of darkness.
fsfloverabout 1 hour ago
Here you go: https://qubes-os.org.
Barbing29 minutes ago
>Why Qubes OS?

>Physical isolation is a given safeguard that the digital world lacks

>In our digital lives, the situation is quite different: All of our activities typically happen on a single device. This causes us to worry about whether it’s safe to click on a link or install an app, since being hacked imperils our entire digital existence.

>Qubes eliminates this concern by allowing us to divide a device into many compartments, much as we divide a physical building into many rooms. …

Sold

https://doc.qubes-os.org/en/latest/introduction/intro.html