Tor Fingerprinting: Tor Browser Can Mitigate Browser Fingerprinting?

  • Takamichi Saito
  • Kazushi Takahashi
  • Koki Yasuda
  • Kazuhisa Tanabe
  • Masayuki Taneoka
  • Ryohei Hosoya
Conference paper
Part of the Lecture Notes on Data Engineering and Communications Technologies book series (LNDECT, volume 7)

Abstract

The onion router (Tor) is currently the most powerful and prominent tool to achieve online privacy on the Internet. As a browser, Tor can protect web users by not revealing the source or destination IP address, and it also prevents web tracking with HTTP cookies. Tor browser has been updated continuously to resist de-anonymizing attacks by restricting the browser’s functions, e.g., excluding all plugins such as Flash player. On March 2016, Jose Norte posted the article as “Advanced Tor Browser Fingerprinting” in his blog [37]. It suggested that browser fingerprinting can track Tor browser. In this paper, we examined how secure Tor browser version 5.5 is against browser fingerprinting. Our study concludes that Tor user accesses can be distinguished: 14.28% of Tor browser version 5.5 can be identified within two weeks at our experimental sites, although 70.0% of the older versions can. In this paper, we analyze the current features of Tor browser against browser fingerprinting and also show capabilities to track Tor browser accesses.

Notes

Acknowledgments

This work was supported by JSPS KAKENHI Grant Number 26330162. We are deeply grateful to Y. Nishikura for this work.

References

  1. 1.
    Ball, J., Schneier, B., Greenwald, G.: NSA and GCHQ target Tor network that protects anonymity of web users. http://www.theguardian.com/world/2013/oct/04/nsa-gchq-attack-tor-network-encryption. Last accessed 15 Feb 2016
  2. 2.
    de Montjoye, Y.A., Radaelli, L., Singh, V.K., Pentland, A.: Science 347, 536–539 (2015)Google Scholar
  3. 3.
    Tor project: FAQ. https://www.torproject.org/docs/faq.html.en. Last accessed 15 Feb 2016
  4. 4.
    W3techs. http://w3techs.com. Last accessed 15 Feb 2016
  5. 5.
    OpenAM. http://openam.forgerock.org/. Last accessed 15 Feb 2016
  6. 6.
    Tor project. https://www.torproject.org/. Last accessed 15 Feb 2016
  7. 7.
    Perry, M., Perry, E., Murdoch, S.: The Design and Implementation of the Tor Browser DRAFT. https://www.torproject.org/projects/torbrowser/design/. Last accessed 15 Feb 2015
  8. 8.
    Panchenko, A., Niessen L., Zinnen, A., Engel, T.: Website fingerprinting in onion routing based anonymization networks. In: Proceedings of the 10th ACM Workshop on Privacy in the Electronic Society (2011)Google Scholar
  9. 9.
    Eckersley, P.: How Unique is Your Web Browser? In: Proceedings of the Privacy Enhancing Technologies Symposium. LNCS, vol. 6205 (2010)Google Scholar
  10. 10.
    The WebKit Open Source Project. https://trac.webkit.org/wiki/Fingerprinting. Last accessed 15 Feb 2016
  11. 11.
    Takei, N., Saito, T., Takasu, K., Yamada, T.: Web browser fingerprinting using only cascading style sheets. In: Proceedings of the 10th International Conference on Broadband and Wireless Computing, Communication and Applications (BWCCA) (2015)Google Scholar
  12. 12.
    Takasu, K., Saito, T., Yamada, T., Ishikawa, T.: A survey of hardware features in modern browsers: 2015 edition. In: Proceedings of the 9th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS 2015) (2015)Google Scholar
  13. 13.
    Mozilla wiki. https://wiki.mozilla.org/fingerprinting. Last accessed 15 Feb 2016
  14. 14.
    Kwon, A., AlSabah, M., Lazar, D., Dacier, M., Devadas, S.: Circuit fingerprinting attacks: passive deanonymization of tor hidden services. In: Proceedings of the USENIX 2015 (2015)Google Scholar
  15. 15.
    Boda, K., Földes, A., Gulyás, G., Imre, S.: User Tracking on the web via cross-browser fingerprinting. In: Proceedings of the 16th Nordic Conference on Information Security Technology for Applications (2011)Google Scholar
  16. 16.
    Kiryu, N., Iso, Y., Kaneko, Y., Saito, T.: Estimation of Number of CPU Cores Using with Web Workers. In: Proceedings of the Computer Security Symposium (CSS 2014) (2014). (in Japanese)Google Scholar
  17. 17.
    Panopticlick, How unique and trackable is your browser? https://panopticlick.eff.org. Last accessed 15 Feb 2016
  18. 18.
    NoScript. https://noscript.net/. Last accessed 1 Feb 2015
  19. 19.
    Fifield, D., Egelman, S.: Fingerprinting web users through font metrics. In: Proceedings of the Financial Cryptography and Data Security 2015. Lecture Notes in Computer Science, vol. 8975 (2015)Google Scholar
  20. 20.
    Iovation Inc. https://www.iovation.com. Last accessed 15 Feb 2016
  21. 21.
    BlueCava Inc. http://www.bluecava.com. Last accessed 15 Feb 2016
  22. 22.
    41st Parameter Inc. http://www.the41.com/. Last accessed 1 May 2015
  23. 23.
    AddThis Inc. http://www.addthis.com/. Last accessed 15 Feb 2016
  24. 24.
    ThreatMetrix, https://www.threatmetrix.com/. Last accessed 15 Feb 2016
  25. 25.
    Mowery, K., Shacham, H.: Pixel Perfect: Fingerprinting Canvas in HTML5. In: Proceedings of the Web 2.0 Security and Privacy (W2SP) (2012)Google Scholar
  26. 26.
    Kiryu, N., Goto, H., Saito T.: A proposal of estimating of CPU architectures by JavaScript engine. In: Proceedings of the 75th National Convention of Information Processing Society of Japan (IPSJ) (2013). (in Japanese)Google Scholar
  27. 27.
    Faizkhademi, A., Zulkernine, M., Weldemariam, K.: Empirical evaluation of web-based fingerprinting. IEEE Softw. 32, 46–52 (2015)Google Scholar
  28. 28.
    Lu, T., Yao, P., Zhao, L., Li, Y., Xie, F., Xia, Y.: Towards attacks and defenses of anonymous communication systems. Int. J. Secur. Appl. 9(1), 313–328 (2015)Google Scholar
  29. 29.
    Nikiforakis, N., Kapravelos, A., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: Cookieless monster: exploring the ecosystem of Web-based device fingerprinting. In: Proceedings of the 34th IEEE Symposium of Security and Privacy (IEEE S&P 2013) (2013)Google Scholar
  30. 30.
    Boda, K., Földes, Á.M., Gulyás, G.G., Imre, S.: Tracking and Fingerprinting in E-Business: New Storageless Technologies and Countermeasures (2013)Google Scholar
  31. 31.
    Upathilake, R., Yingkun, L., Matrawy, A.: A classification of web browser fingerprinting techniques. In: Proceedings of the IFIP New Technologies, Mobility, and Security (NTMS), pp. 1–5 (2015)Google Scholar
  32. 32.
    Goodin, D.: How the NSA might use Hotmail, Yahoo or other cookies to identify Tor users. http://arstechnica.com/security/2013/10/how-the-nsa-might-use-hotmail-or-yahoo-cookies-to-identify-tor-users/. Last accessed 15 Feb 2016
  33. 33.
    Dingledine, R., Mathewson, N., Syverson, P.: Tor: the second-generation onion router. In: Proceedings of 13th USENIX Security Symposium (2004)Google Scholar
  34. 34.
    Alexa Internet, Inc. http://www.alexa.com. Last accessed 15 Feb 2016
  35. 35.
    Doty, N.: Fingerprinting guidance for Web specification authors. http://w3c.github.io/fingerprinting-guidance/. Last accessed 16 Feb 2016
  36. 36.
    Mulazzani, M., Reschl, P., Huber, M., Leithner, M., Schrittwieser, S., Weippl, E.: Fast and reliable browser identification with JavaScript engine fingerprinting. In: Proceedings of Web 2.0 Workshop on Security and Privacy (W2SP) (2013)Google Scholar
  37. 37.
    Norte, J.: Advanced Tor Browser Fingerprinting. http://jcarlosnorte.com/security/2016/03/06/advanced-tor-browser-fingerprinting.html. Last accessed 15 May 2016

Copyright information

© Springer International Publishing AG 2018

Authors and Affiliations

  • Takamichi Saito
    • 1
  • Kazushi Takahashi
    • 1
  • Koki Yasuda
    • 1
  • Kazuhisa Tanabe
    • 1
  • Masayuki Taneoka
    • 1
  • Ryohei Hosoya
    • 1
  1. 1.Department of Science and EngineeringMeiji UniversityKawasakiJapan

Personalised recommendations