Hacker NewsHacker News
We found a stable Firefox identifier linking all your private Tor identities
93 points by danpinto 3 hours ago | 34 comments
lpapez 2 hours ago
Very cool research and wonderfully written.

I was expecting an ad for their product somewhere towards the end, but it wasn't there!

I do wonder though: why would this company report this vulnerability to Mozilla if their product is fingeprinting?

Isn't it better for the business (albeit unethical) to keep the vulnerability private, to differentiate from the competitors? For example, I don't see many threat actors burning their zero days through responsible disclosure!

reply
valve1 41 minutes ago
We don't use vulnerabilities in our products.
reply
mtlynch 33 minutes ago
I don't understand what you mean. What separates this from other fingerprinting techniques your company monetizes?

No software wants to be fingerprinted. If it did, it would offer an API with a stable identifier. All fingerprinting is exploiting unintended behavior of the target software or hardware.

reply
giancarlostoro 21 minutes ago
It makes sense to me, they're likely not trying to actually fingerprint Tor users. Those users will likely ignore ads, have JS disabled, etc. the real audience is people on the web using normal tooling.
reply
baobabKoodaa 3 minutes ago
Uhh okay, so they do exploit vulnerabilities, they just try to target victims who can be served ads? What a weird distinction.
reply
sodality2 6 minutes ago
Side channels that enable intended behavior, versus a flat-out bug like the above, though the line can often be muddied by perspective.

An example that comes to mind that I've seen is an anonymous app that allows for blocking users; you can programmatically block users, query all posts, and diff the sets to identify stable identities. However, the ability to block users is desired by the app developers; they just may not have intended this behavior, but there's no immediate solution to this. This is different than 'user_id' simply being returned in the API for no reason, which is a vulnerability. Then there's maybe a case of the user_id being returned in the API for some reason that MIGHT be important too, but that could be implemented another way more sensibly; this leans more towards vulnerability.

reply
lyu07282 35 minutes ago
So it's the criminal that convinced themselves they are the good guys, I didn't expect that one. You are a malware company get a grip.
reply
hrimfaxi 54 minutes ago
They probably are not relying on it and disclosure means others can't either.
reply
Meneth 10 minutes ago
I'm confused.

The IndexedDB UUID is "shared across all origins", so why not use the contents of the database to identify browers, rather than the ordering?

reply
lxgr 6 minutes ago
The content is obviously scoped to an origin, or IndexedDB would be a trivial evercookie.
reply
bawolff 49 minutes ago
From the sounds of this it sounds like it doesn't persist past browser restart? I think that would significantly reduce the usefulness to attackers.
reply
shevy-java 45 minutes ago
Would it though? I guess state agencies already know all nodes or may know all nodes. When you have a ton of meta-information all cross-linked, they can probably identify people quite accurately; may not even need 100% accuracy at all times and could do with less. I was thinking about that when they used information from any surrounding area or even sniffing through walls (I think? I don't quite recall the article but wasn't there an article like that in the last 3-5 years? The idea is to amass as much information as possible, even if it may not primarily have to do with solely the target user alone; e. g. I would call it "identify via proxy information").
reply
sva_ 58 minutes ago
Does Tor Browser still allow JavaScript by default? Because if you block execution of JavaScript, you won't be affected from what I understand.
reply
ranger_danger 56 minutes ago
Disabling JavaScript actually greatly increases your fingerprint as not many users turn it off, so that instantly puts you in a much smaller bucket that you need to be unique in. Yes, not having JS means it limits your options for gathering other details, but it also requires much less effort to be unique now without JS.

Tor Browser also doesn't spoof navigator.platform at all for some reason, so sites can still see when you use Linux, even if the User-Agent is spoofing Windows.

reply
Springtime 18 minutes ago
> Disabling JavaScript actually greatly increases your fingerprint as not many users turn it off, so that instantly puts you in a much smaller bucket that you need to be unique in.

I've heard a handful of people say this but are there examples of what I would imagine would have to be server-side fingerprinting and the granularity? Since most fingerprinting I'm aware of is client-side, running via JS. While I expect server-side checks to be limited to things like which resources haven't be loaded by a particular user and anything else normally available via server logs either way, which could limit the pool but I wonder how effective in terms of tracking uniqueness across sites.

reply
throwawayqqq11 20 minutes ago
I have my problems with that argument. Yes, less identifying bits means a smaller bucket but for the trackers, it also means more uncertainty, doesnt it? So when just a few others without JS join your bucket eg. via a VPN, profiling should become harder.
reply
crazysim 2 hours ago
I would imagine most users of Tor are using Tor Browser. I am reading there was a responsible disclosure to Mozilla but is it me or did that section leave out when the Tor Project planned to respond or release a fixed Tor Browser? Do they like keep very close or is there a large lag?
reply
flotzam 54 minutes ago
Tor Browser is always quick to rebase on the latest Firefox ESR. They released an update the next day:

https://blog.torproject.org/new-release-tor-browser-15010/

reply
anthk 8 minutes ago
The best for Tor would just be Links2/Links+ with the socks4a proxy set to 127.0.0.1:9050, enforcing all connection thru a proxy in the settings (mark the checkbox) and disabling cookies altogether.
reply
fsflover 2 hours ago
It seems Qubes OS and Qubes-Whonix are not affected.
reply
2ndorderthought 17 minutes ago
In the last ten years has qubes moved on to support more hardware? Every 4 years I would try to use it only to find it didn't support any of my hardware.
reply
orbital-decay 3 minutes ago
Most hardware (especially GPUs) is hard to virtualize in a secure manner, which is the entire point of Qubes. People who use it typically buy compatible hardware.
reply
Aachen 7 minutes ago
We buy off the shelf laptops, not sure anyone ever checked that it can run Qubes specifically before trying to install it (I'm sure of at least one person: myself). Doesn't just about any x64 machine with hardware where drivers are available in standard kernels also work with Qubes?
reply
fsflover 5 minutes ago
Actually, it should work indeed, unless it lacks some Linux drivers or VT-d.
reply
fsflover 7 minutes ago
Tested hardware can be found here https://qubes-os.org/hcl. New hardware is being constantly added. If you plan to switch to Qubes, consider buying something from that list or, better, certified, or community-recommended hardware linked there.
reply
hrimfaxi 44 minutes ago
How so? If you kept a disposable VM open and just created new identities in tor browser, how does Qubes mitigate the threat here?
reply
fsflover 41 minutes ago
On Qubes, you do not create a new identity in the same VM. This would go against the Qubes approach to security/privacy. Using separate VMs for independent tasks is the whole point of using Qubes.
reply
ranger_danger 55 minutes ago
Source?
reply
fsflover 37 minutes ago
Different VMs result in different identifiers.
reply
LoganDark 8 minutes ago
> For developers, this is a useful reminder that privacy bugs do not always come from direct access to identifying data. Sometimes they come from deterministic exposure of internal implementation details.

> For security and product stakeholders, the key point is simple: even an API that appears harmless can become a cross-site tracking vector if it leaks stable process-level state.

This reads almost LLM-ish. The article on the whole does not appear so, but parts of it do.

reply
shevy-java 48 minutes ago
Well that sucks. I guess in the long run we need a new engine and different approach. Someone should call the OpenBSD guys to come up with working ideas here.
reply
fsflover 4 minutes ago
Here you go: https://qubes-os.org.
reply
giancarlostoro 19 minutes ago
> Mozilla has quickly released the fix in Firefox 150 and ESR 140.10.0, and the patch is tracked in Mozilla Bug 2024220.

Did you even read the article at all? Ah my children did bad in school, time to replace them with new children and a different spouse. This is what you're suggesting essentially. A browser is not just something you simply make out of thin air. There's decades of nuance to browser engines, and I'm only thinking of the HTML nuances, not the CSS or JS nuances.

reply
anthk 7 minutes ago
Given the dangers of JS and WASM they could just fork Netsurf and enhance the CSS3 support. If you are a journalist, running Tor with JS and tons of modern web tech enable makes you a bright white spot in a sea of darkness.
reply