Usually, PC users who want to remain anonymous online use Tor Browser. However, despite the fact that this browser hides users’ IP addresses, cyber criminals have found some methods to identify them.
Two of these methods are called browser and system fingerprinting. And while the Tor Project has already implemented lots of countermeasures against different fingerprinting methods, newer ones are coming out all the time. The latest ones have been demonstrated by security researcher Jose Carlos Norte.
Norte created proof-of-concept JavaScript code which can be inserted into the source code of a website to extract information about how users interact with their PC, their hardware, the computing power and memory speed of their virtual machine, etc.
This code allowed him to:
- Extract information leaked by the mouse wheel event in Tor Browser – things like mouse scroll speed (which is dependent on the OS configuration the computer’s hardware), number of scrolls the user made, and the mouse wheel delta value.
- To see how long it takes for the user’s computer to execute a CPU intensive script (different results for differen computers).
- Extract information leaked by the getClientRects method, which returns a collection of rectangles that indicate the borders for each DOM element in a client.
“Depending on the resolution, font configuration and lots of other factors, the results of getClientRects are different, allowing for a very quick and easy fingerprinting vector, even better than the canvas fingerprinting that is fixed,” Norte said.
The script is able to collect this information due to the fact that Norte found a way to bypass the protection of the Date.getTime() method, which prevents measuring of events happening under 100ms.
“If a website is able to generate a unique fingerprint that identifies each user that enters the page, then it is possible to track the activity of this user in time, for example, correlate visits of the user during an entire year, knowing that its the same user,” Norte stated.
“Or even worse, it could be possible to identify the user if the fingerprint is the same in tor browser and in the normal browser used to browse internet. It is very important for the tor browser to prevent any attempt on fingerprinting the user.”
It is still discussable if the fingerprinting method can lead to revealing the identities of Tor users or not, though it’s good to know that security experts are probing the defenses of such crucial software.
Jose Carlos Norte hopes that his research will help Tor developers to solve this problem. What is more interesting though, is that it seem that it already has.
Meanwhile, users can protect themselves by disabling JavaScript on the Tor Browser.
