New ways to fingerprint Tor Browser users discovered

Users who want to remain anonymous online often opt for using the Tor Browser, which hides their real IP address, but there are techniques that (more or less) malicious actors can used to identify them.

Tor Browser

Browser and system fingerprinting are two of them. And while the Tor Project has already implemented a number of countermeasures against different fingerprinting methods, newer ones are popping up every now and then.

The latest ones have been demonstrated by security researcher Jose Carlos Norte.

He created proof-of-concept JavaScript code that can be inserted into the source code of a website to extract information about how users interact with their computer, their hardware, the computing power and memory speed of their computer, and so on.

This code allowed him to:

  • Extract information leaked by the mouse wheel event in Tor Browser – things like mouse scroll speed (which is dependent on the OS configuration the computer’s hardware), number of scrolls the user made, and the mouse wheel delta value.
  • To see how long it takes for the user’s computer to execute a CPU intensive script (different results for differen computers)
  • Extract information leaked by the getClientRects method, which returns a collection of rectangles that indicate the borders for each DOM element in a client. “Depending on the resolution, font configuration and lots of other factors, the results of getClientRects are different, allowing for a very quick and easy fingerprinting vector, even better than the canvas fingerprinting that is fixed,” Norte pointed out.

The script manages to collect this information because Norte found a way to bypass the protection of the Date.getTime() method, which prevents measuring of events happening under 100ms.

“If a website is able to generate a unique fingerprint that identifies each user that enters the page, then it is possible to track the activity of this user in time, for example, correlate visits of the user during an entire year, knowing that its the same user,” Norte explains.

“Or even worse, it could be possible to identify the user if the fingerprint is the same in tor browser and in the normal browser used to browse internet. It is very important for the tor browser to prevent any attempt on fingerprinting the user.”

Here is an example of how the “fingerprint” of different users using the same Tor browser version but different computers can differ:

browser fingerprint

Whether this fingerprinting method can ultimately lead to the unmasking of Tor users or not is debatable, but it’s good to know that security researchers are probing the defenses of such crucial software, because we can be sure malicious users do so constantly.

Norte hopes that his research will spur Tor developers to find a solution to this problem. Apparently, it already has.

In the meantime, in this particular case, users can protect themselves by simply disabling JavaScript on the Tor Browser (it is currently enabled by default).