For many users, Tor is the online version of a scapegoat, as it is religiously used to hide one’s sins. In other words, Tor (an acronym for The Onion Router, the project’s original name) is widely accepted as anonymous and comes in handy whenever a user needs to conceal their location from network surveillance and traffic analysis.
Tor is used for variety of purposes by any person who wishes to remain ‘unseen’.
Unfortunately, as disclosed by independent security researcher Jose Carlos Norte, Tor users can be fingerprinted. This means that Tor users can be de-anonymized whenever law enforcement entities decide.
What Is User Fingerprinting?
Much like device fingerprinting, user fingerprinting is information collected about the user for the purpose of identification.
User fingerprinting illustrates the ways of tracking various operations and details about the user’s online demeanor. The Tor browser should provide protection against tracking to keep the user’s identity from being exposed.
As pointed out by Norte, fingerprinting is specifically threatening to the Tor user since data stored while he surfs the Web (through Tor) can be later compared to data taken from the user’s regular browser. This is what the researcher says:
One common problem that tor browser tries to address is user fingerprinting. If a website is able to generate a unique fingerprint that identifies each user that enters the page, then it is possible to track the activity of this user in time, for example, correlate visits of the user during an entire year, knowing that its the same user. Or even worse, it could be possible to identify the user if the fingerprint is the same in tor browser and in the normal browser used to browse internet. It is very important for the tor browser to prevent any attempt on fingerprinting the user.
Fortunately, the data typically logged in fingerprinting models is not absolutely reliable. Unfortunately, it still can be used for legal investigation.
How Can Tor Users Be Fingerprinted?
- The mouse speed fingerprinting method
One of the most curious aspects of Norte’s discoveries on the Tor browser’s anonymity concerns mouse movements. In particular, the speed of mouse scrolling through a website via the website wheel. He named it ‘mouse speed fingerprinting’:
Furthermore, fingerprinting becomes more accurate when the user is using a trackpad to navigate through a page.
- The CPU-intensive JS method
With the improved accuracy on time provided by the setInterval inside the WebWorker, it is easy to create a CPU intensive script (or even memory intensive) and measure how long it takes for the user browser to execute it.
Tor or no Tor, fingerprinting users through their browsers turns out to be quite an easy job.