Open Bug 1603332 Opened 5 years ago Updated 5 months ago

privacy.resistFingerprinting and -moz- colors

Categories

(Core :: Widget, defect, P3)

Product:
Core
Component:
Widget
Version:
71 Branch
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: thorin, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [fingerprinting][tor])

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0

Steps to reproduce:

See bug 1485266 which standardized all RFP users to return the same system colors

But we didn't account for -moz-* values, such as -moz-ButtonDefault

Actual results:

Different fingerprints based on device. I only compared my FF on windows 7 to FF and TB on android (and while the two android tests were the same, the two OSes were different). Not sure if the entropy is only limited by OS, or other factors such as system themes, desktop environments etc. I haven't gone down that rabbit hole yet.

Expected results:

Notes:

Component: Untriaged → GFX: Color Management
Product: Firefox → Core

Tom, please close as invalid if you're happy there's nothing to see here (I'm only 99% sure)

my Windows 7, vanilla profiles

  • without RFP
    • 49de5ccbfdfc76f551f9f1ff23ca46352b501043 : ESR60
    • d0e261da410a50d4491eaa530d7117b2a6bcd7a7 : FF ESR68, FF60-73
  • with RFP
    • 79b2d7db46565b0503169bc3b30897ef6eb8ec9b : ESR68, FF67-69, TB 8.5.5 (using stand-in for native colors), TB 9.*
    • 74825deab2c0f174bf3c1f2ae190598c1133ee9a : FF70-73
  • Android Firefox (with RFP) and TB (ESR68)
    • 79b2d7db46565b0503169bc3b30897ef6eb8ec9b = matches ESR68 Windows desktop

Observations

  • since flipping RFP (or stand-ins for native colors) changes the fingerprint, some or all of these -moz- colors are already covered
  • with RFP/stand-ins, there are changes starting on 70. My best guess is something got deprecated? Same with why ESR60 is different from FF60, something got backported during the ESR cycle?
  • between my windows and android there wasn't a difference
  • so I guess this is a false alarm, right? i.e I can't see entropy on the same version across platforms (limited platform tests)

Note: I did each test in a new tab when flipping RFP

  • Here is my Windows 7, FF71 showing 4 different results
  • RFP off, load test page = d0e261da410a50d4491eaa530d7117b2a6bcd7a7 = correct
  • turn RFP on, refresh (F5 or even ctrl-F5) = 79b2d7db46565b0503169bc3b30897ef6eb8ec9b = wrong
  • leave RFP on, use a new tab (tab2), load test = 74825deab2c0f174bf3c1f2ae190598c1133ee9a = correct
  • turn RFP off, stay on tab2, refresh (F5 or ctrl-F5) = 48465e7b3044a7dfa8d030fedded817ffe5444f3 = wrong

Seems weird that the tab seems to cache some values but not others.

Flags: needinfo?(tom)
Blocks: uplift_tor_fingerprinting
Type: enhancement → defect
Whiteboard: [fingerprinting][tor]

The standins stuff does handle -moz-ButtonDefault, fwiw: https://searchfox.org/mozilla-central/rev/62a130ba0ac80f75175e4b65536290b52391f116/widget/nsXPLookAndFeel.cpp#634

Not sure if it handles all the relevant ones but it looks like we'll never get to NativeGetColor when using standins: https://searchfox.org/mozilla-central/rev/62a130ba0ac80f75175e4b65536290b52391f116/widget/nsXPLookAndFeel.cpp#911

Also this should probably be in "CSS Parsing and Computation" or "Widget", the "GFX: Color Management" component is about this other kind of color management :)

There's something going on here. My FF71 with RFP reports 74825deab2c0f174bf3c1f2ae190598c1133ee9a which seems inconsistent. Note this is not a vanilla profile (and I have a few tweaks, but nothing that should affect this AFAIK)

^^ sorry .. that is correct for FF70+ .. mixing my TB/ESR with stable+

Moving to Widget as per comment 3.

Component: GFX: Color Management → Widget
Flags: needinfo?(tom)

The priority flag is not set for this bug.
:jimm, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(jmathies)

anti-fingerprinting isn't a priority for us, but we welcome user contributions.

Flags: needinfo?(jmathies)
Priority: -- → P3

following on from CSS4 system colors: I changed https://ghacksuserjs.github.io/TorZillaPrint/TorZillaPrint.html#css to split CSS4 system colors out: and show the results under details

Is LinkText an alias for a moz preset color? I get a different color with 76 nightly Android compared to Windows. The only other one that is different is VisitedText: but RFP covers that. RFP does not cover LinkText. All the other CCS4 system colors seems to be the same.

Severity: normal normal → S3 S3
You need to log in before you can comment on or make changes to this bug.