THREAT REMOVAL

Tor Browser Users Fingerprinting: Mission Possible

tor-browser-busted-user-fingerprinting
For many users, Tor is the online version of a scapegoat, as it is religiously used to hide one’s sins. In other words, Tor (an acronym for The Onion Router, the project’s original name) is widely accepted as anonymous and comes in handy whenever a user needs to conceal their location from network surveillance and traffic analysis.

Tor is used for variety of purposes by any person who wishes to remain ‘unseen’.

More Privacy Stories:
Truth and Advertising IRL
Incognito Mode Busted

Unfortunately, as disclosed by independent security researcher Jose Carlos Norte, Tor users can be fingerprinted. This means that Tor users can be de-anonymized whenever law enforcement entities decide.

What Is User Fingerprinting?

Much like device fingerprinting, user fingerprinting is information collected about the user for the purpose of identification.

User fingerprinting illustrates the ways of tracking various operations and details about the user’s online demeanor. The Tor browser should provide protection against tracking to keep the user’s identity from being exposed.

As pointed out by Norte, fingerprinting is specifically threatening to the Tor user since data stored while he surfs the Web (through Tor) can be later compared to data taken from the user’s regular browser. This is what the researcher says:

One common problem that tor browser tries to address is user fingerprinting. If a website is able to generate a unique fingerprint that identifies each user that enters the page, then it is possible to track the activity of this user in time, for example, correlate visits of the user during an entire year, knowing that its the same user. Or even worse, it could be possible to identify the user if the fingerprint is the same in tor browser and in the normal browser used to browse internet. It is very important for the tor browser to prevent any attempt on fingerprinting the user.

Fortunately, the data typically logged in fingerprinting models is not absolutely reliable. Unfortunately, it still can be used for legal investigation.

How Can Tor Users Be Fingerprinted?

  • The mouse speed fingerprinting method

One of the most curious aspects of Norte’s discoveries on the Tor browser’s anonymity concerns mouse movements. In particular, the speed of mouse scrolling through a website via the website wheel. He named it ‘mouse speed fingerprinting’:

Since the speed of the mouse is controlled by the operating system and related to hardware, and can be read using javascript if you can measure time using the mentioned strategies. It could be interesting also to measure average mouse speed while the user is in the page moving the mouse.

Furthermore, fingerprinting becomes more accurate when the user is using a trackpad to navigate through a page.

  • The CPU-intensive JS method

What is even more tricky is that the not only the user can be fingerprinted but his machine as well. How? By running a CPU-intensive JavaScript operation in the browser:

With the improved accuracy on time provided by the setInterval inside the WebWorker, it is easy to create a CPU intensive script (or even memory intensive) and measure how long it takes for the user browser to execute it.

The conclusion?

Tor or no Tor, fingerprinting users through their browsers turns out to be quite an easy job.

Milena Dimitrova

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the beginning. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:
Twitter

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...