Spoofing Navigator API platform as Win64 when resisting fingerprinting is enabled

RESOLVED FIXED in Firefox 56

Status

()

P3
normal
RESOLVED FIXED
a year ago
3 months ago

People

(Reporter: simon.mainey, Assigned: ethan)

Tracking

(Blocks: 1 bug)

54 Branch
mozilla57
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox56 fixed, firefox57 fixed)

Details

(Whiteboard: [tor][fingerprinting][fp:m3][domsecurity-active])

Attachments

(1 attachment, 1 obsolete attachment)

(Reporter)

Description

a year ago
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:54.0) Gecko/20100101 Firefox/54.0
Build ID: 20170628075643

Steps to reproduce:

Firefox 56+, enable privacy.resistFingerprinting and test various methods of obtaining platform



Actual results:

Firefox 56+, the spoofed value is 32bit (win32) - see bug 1333651


Expected results:

Starting with 56, Mozilla will start 32-bit to 64-bit

[1] https://wiki.mozilla.org/Firefox/Win64
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1274659

Keeping an eye on metrics ( https://metrics.mozilla.com/firefox-hardware-report/ ), change the spoofed version to 64bit (win64) including the useragent when 64bit becomes more than 50%

Attention Arthur Edelstein [:arthuredelstein], Tim Huang[:timhuang], Tor Uplift
Component: Untriaged → DOM: Security
Product: Firefox → Core
Ethan, can you triage this one please?
Flags: needinfo?(ettseng)
(Assignee)

Comment 2

a year ago
(In reply to Simon Mainey from comment #0)
> Expected results:
> Starting with 56, Mozilla will start 32-bit to 64-bit
> Keeping an eye on metrics (
> https://metrics.mozilla.com/firefox-hardware-report/ ), change the spoofed
> version to 64bit (win64) including the useragent when 64bit becomes more
> than 50%

This reason to spoof the value navigator.platform with 64-bit sounds fair to me.

Arthur and Tim, what would you think?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(tihuang)
Flags: needinfo?(ettseng)
Flags: needinfo?(arthuredelstein)
Priority: -- → P3
See Also: → bug 1333651
Whiteboard: [tor][fingerprinting]
LGTM
Flags: needinfo?(tihuang)
(Reporter)

Comment 4

a year ago
I would also say that if you are spoofing the FF version ("rounded to the **nearest** 10" - my emphasis, straight from code comments - see https://reviewboard.mozilla.org/r/147474/diff/4#index_header ), then a FF60 32bit (in reality a FF56) looks ridiculous on the face of it, so I would even say this could land in FF56 - then again a FF60 looks strange as well right now.
(Assignee)

Comment 5

a year ago
Per discussion in a meeting, Arthur agreed to spoof the value as win64 instead of win32.
Flags: needinfo?(arthuredelstein)
(Assignee)

Updated

a year ago
Assignee: nobody → ettseng
Whiteboard: [tor][fingerprinting] → [tor][fingerprinting][fp:m3]
(Reporter)

Comment 6

a year ago
Ethan: would it also be possible to revisit the version number spoofing. Rounding to the nearest 10 will highlight users that have privacy.resistFingerprinting=true when it rounds up and the spoofed value isn't even available - as will happen with 56. (also what happens when it ends in a 5 currently, does this become eg 50 or 60? I am aware this does not land until 56, just posing the question)

Would it not be better to code for
If version ends in 1 to 7, round down
If version ends in 8 or 9, round up
If version ends in zero, do nothing
(Reporter)

Comment 7

a year ago
On second thoughts, that doesn't cover those on Beta or Nightly. I know the idea is to make the subset of users with privacy.resistFingerprinting=true identical, and in this regard we could put anything. But why make this value stand out. Maybe it better to **always** round DOWN.
(Assignee)

Comment 8

a year ago
(In reply to Simon Mainey from comment #4)
> I would also say that if you are spoofing the FF version ("rounded to the
> **nearest** 10" - my emphasis, straight from code comments - see
> https://reviewboard.mozilla.org/r/147474/diff/4#index_header ), then a FF60
> 32bit (in reality a FF56) looks ridiculous on the face of it, so I would
> even say this could land in FF56 - then again a FF60 looks strange as well
> right now.

Hi Simon,

Thank you for bring up this issue.
The commit message and code comments are not accurate.
According to the real code,
http://searchfox.org/mozilla-central/source/netwerk/protocol/http/nsHttpHandler.cpp#463
the spoofed value of Firefox version is always rounded down.

On Firefox 57, the spoofed value is "Firefox/50.0".

We should only update the code comments in this case.  :)
(Assignee)

Updated

a year ago
Blocks: 1329996
Whiteboard: [tor][fingerprinting][fp:m3] → [tor][fingerprinting][fp:m3][domsecurity-backlog1]
(Assignee)

Updated

a year ago
Whiteboard: [tor][fingerprinting][fp:m3][domsecurity-backlog1] → [tor][fingerprinting][fp:m3][domsecurity-active]
(Assignee)

Comment 9

a year ago
Created attachment 8895658 [details] [diff] [review]
Bug 1383495 - Spoof navigator.platform as win64 when resisting fingerprinting is enabled

1. Change the spoofed version from "Win32" to "Win64".
2. Correct the code comment about the spoofed version.
Attachment #8895658 - Flags: review?(ehsan)
(Assignee)

Comment 10

a year ago
Hi Ehsan,
This is a minor change. Could you please review it?
Flags: needinfo?(ehsan)
(Assignee)

Updated

a year ago
Status: NEW → ASSIGNED

Comment 11

a year ago
(In reply to Ethan Tseng [:ethan] from comment #10)
> Hi Ehsan,
> This is a minor change. Could you please review it?

Sure.  :-)  No need to needinfo BTW, setting the review flag is enough.
Flags: needinfo?(ehsan)

Comment 12

a year ago
Comment on attachment 8895658 [details] [diff] [review]
Bug 1383495 - Spoof navigator.platform as win64 when resisting fingerprinting is enabled

Review of attachment 8895658 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks!  It would be nice to uplift this into 56 if possible.  Do you mind nominating this for beta approval please?  It's pretty low risk so I hope the release managers will approve it.
Attachment #8895658 - Flags: review?(ehsan) → review+
(Assignee)

Comment 13

a year ago
(In reply to :Ehsan Akhgari (needinfo please, extremely long backlog) from comment #12)
> Thanks!  It would be nice to uplift this into 56 if possible.  Do you mind
> nominating this for beta approval please?  It's pretty low risk so I hope
> the release managers will approve it.

Sure!  I will nominate it after it's landed in central.
Thank you, Ehsan.
(Reporter)

Comment 14

a year ago
"The browser version will be rounded down to the multiple of 10"

Sounds a bit weird to me, can we change "the" to "a"

"The browser version will be rounded down to a multiple of 10"
(Assignee)

Comment 15

a year ago
(In reply to Simon Mainey from comment #14)
> "The browser version will be rounded down to the multiple of 10"
> Sounds a bit weird to me, can we change "the" to "a"
> "The browser version will be rounded down to a multiple of 10"

You are right. I'll fix it. Thanks!
(Assignee)

Comment 16

a year ago
Created attachment 8896179 [details] [diff] [review]
Spoofing Navigator API platform as win64 when resisting fingerprinting is enabled

1. Update commit message "r=Ehsan".
2. Fix a grammar error based on comment 14.
Attachment #8895658 - Attachment is obsolete: true
Attachment #8896179 - Flags: review+
(Assignee)

Updated

a year ago
Keywords: checkin-needed

Comment 18

a year ago
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/5451feeb0448
Spoof Navigator API platform as win64 when resisting fingerprinting is enabled. r=ehsan
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/5451feeb0448
Status: ASSIGNED → RESOLVED
Last Resolved: a year ago
status-firefox57: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla57
(Assignee)

Updated

a year ago
Summary: [tor][fingerprinting] Spoofing Navigator API platform as `win64` when resisting fingerprinting is enabled → [tor][fingerprinting] Spoofing Navigator API platform as Win64 when resisting fingerprinting is enabled
(Assignee)

Comment 20

a year ago
Comment on attachment 8896179 [details] [diff] [review]
Spoofing Navigator API platform as win64 when resisting fingerprinting is enabled

Approval Request Comment
[Feature/Bug causing the regression]: N/A
[User impact if declined]: The spoofed value of platform would not be convincing
[Is this code covered by automated tests?]: Yes
[Has the fix been verified in Nightly?]: Yes
[Needs manual test from QE? If yes, steps to reproduce]: No
[List of other uplifts needed for the feature/fix]: N/A
[Is the change risky?]: No
[Why is the change risky/not risky?]: Only two constant definitions were changed
[String changes made/needed]: N/A

Also, Ehsan suggested to uplift this to Beta. See comment 12.
Attachment #8896179 - Flags: approval-mozilla-beta?
status-firefox56: --- → affected
Comment on attachment 8896179 [details] [diff] [review]
Spoofing Navigator API platform as win64 when resisting fingerprinting is enabled

Fix a Spoofing Navigator API platform value. Beta56+. Should be in 56.0b3.
Attachment #8896179 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Comment 22

a year ago
bugherderuplift
https://hg.mozilla.org/releases/mozilla-beta/rev/428d62670f7e
status-firefox56: affected → fixed
Flags: in-testsuite+
(Assignee)

Updated

a year ago
Summary: [tor][fingerprinting] Spoofing Navigator API platform as Win64 when resisting fingerprinting is enabled → Spoofing Navigator API platform as Win64 when resisting fingerprinting is enabled

Comment 23

a year ago
OSCPU should also be changed to 'Windows NT 6.1; Win64; x64', see http://browserspy.dk/showprop.php?navigator with and w/o resistFingerprinting on a Windows 7 x64 with Firefox x64
Flags: needinfo?(ettseng)
(Assignee)

Comment 24

a year ago
(In reply to Anna from comment #23)
> OSCPU should also be changed to 'Windows NT 6.1; Win64; x64', see
> http://browserspy.dk/showprop.php?navigator with and w/o
> resistFingerprinting on a Windows 7 x64 with Firefox x64

You are right. Thanks for pointing this out.
I will file a bug to change this.
Flags: needinfo?(ettseng)
(Assignee)

Updated

a year ago
See Also: → bug 1396468
Depends on: 1472618
You need to log in before you can comment on or make changes to this bug.