Open Bug 1803941 Opened 2 years ago Updated 2 years ago

Fingerprinting through webaudio and clientrect

Categories

(Core :: Privacy: Anti-Tracking, defect, P3)

Product:
Core
Component:
Privacy: Anti-Tracking
Version:
Firefox 107
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: violetvenomkiss666, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.62
Firefox for Android

Steps to reproduce:

Actual results:

fingerprint still works well

Expected results:

randomize my data )no fingerprint=

or no data

Group: firefox-core-security → dom-core-security
Component: Untriaged → Privacy: Anti-Tracking
Product: Firefox → Core
Summary: resistfingerprint aint working → Fingerprinting through webaudio and clientrect

I'm pretty sure that this refers to privacy.resistFingerprinting which is an unsupported preference, so this doesn't need to be hidden.

WebAudio is a known issue (Tor Browser disables it, but RFP does not.)

Client Rectangles are another known issue, although TBH I kind of lost track of the underlying problem behind them. I'm pretty sure we have a bug on file though.

Group: dom-core-security

audio

  • Bug 1358149 + Bug 1760633
  • Bug 1658836 can be closed IMO as a dupe
  • Bug 1708593 can be closed IMO as WONTFIX, we do not want to disable the API with RFP as we have a workable solution and Tor want to enable it at some stage with webRTC, e.g. in Privacy Browser

RFP covers some webaudio, such as audioContext keys, which in turn actually reduces entropy in some wave tests. That said, the entropy in webaudio is almost the equivalency of platform, and the solution is to hook up fdlibm's sin, cos, tan and pow. It's not super high priority

domrect

clientrects is one way to extract subpixel precision, which is a bigger larger overall issue to do with scaling, dpi, devicePixelRatio, zoom, layout.css.devPixelsPerPx, and other factors depending on what is being measured (fonts, elements, transforms, etc). Until we know what is equivalency (such as language/fonts) and how much entropy this causes, there is little point in breaking it

--

so we can close this as a dupe

This is for an unsupported preference. Set the priority and severity accordingly.

Severity: -- → S3
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.