There is no new content.

» Go to the full list

Recent comments

» 2018.02.03. 18:24:02, Note for Firefox @ Preventing misuses and misapprehensions of FireGloves

» 2017.03.12. 20:02:46, Namrata Nayak @ Predicting anonymity with machine learning in social networks

» 2017.01.13. 20:51:19, anonymous @ Preventing misuses and misapprehensions of FireGloves

» 2016.06.12. 13:52:44, Dany_HackerVille @ Preventing misuses and misapprehensions of FireGloves

» 2014.08.29. 17:16:15, [anonymous] @ Preventing misuses and misapprehensions of FireGloves

Update your TOR Browser settings – otherwise it’s less anonymous than you’d think

| | 2015.11.30. 10:09:06  Gulyás Gábor  


In this post we discuss a method that allows tracking users of the TOR Browser Bundle (TBB) with the latest release (5.0.4). We believe that this is an important issue for the TBB users to know, as they would expect anonymity by using TBB, but, as we demonstrate below, this remains a false belief under the default TBB settings.

Although this problem is apparently known by the TOR developers [6], we decided to post our findings due to the following reasons. First, we believe that such a vulnerability should be more clearly communicated to the TOR users. Second, there is a simple workaround that most users can adopt until a patch is delivered by the developers.

Why is TBB anonymity at risk?

TBB is an anonymous browser, thus TBB adopts several measures to make user activities non-trackable, or unlinkable to non-TBB activities. One way for a website to track the activities of a browser is to detect the available fonts on the system. (This is exploited by real-world trackers.) The set of installed fonts is typically highly unique, and it has been shown that it is one of the most unique properties that a browser can have [1]. Even more, fonts can be used to track the OS/device itself [2].

The TOR developer community has already been aware of this problem, and some countermeasures have also been taken: they introduced a limit on the number of fonts a website can load [3]. Due to implementation difficulties, experimental countermeasures have been tested in the alpha release [4], but this seems to be omitted from the current stable version. However, we found that none of these measures work currently, leaving TBB users vulnerable to font-tracking attacks.

Examples: check out if the attack works

It can be easily verified if somebody is vulnerable to the attack or not: we only need to visit a website that obviously loads more than 10 fonts, and if it is successful, we have a problem. For example, you can visit this site [7] and check how many fonts it can load. Alternatively, cross-browser fingerprinting sites [5] can be used to test this attack more systematically.

In the following two screenshots, we compared the detected fonts on Linux and on OSX using TBB (left), and also using a regular browser (right). As you can see, more-or-less the same fonts are detected, which shows that TBB can be tracked across multiple sites, and activities within TOR can potentially be linked with activities outside of TOR.

In the following screenshot we show that the list of installed fonts can also be inferred regardless of the privacy settings in TBB. The highest setting, which provides the strongest privacy protections in TBB, seemingly prevents tracking as it disables JavaScript on all sites. However, this is not perfectly the case: arbitrary fonts can be still loaded by CSS.

The CSS font leakage can be checked in our demonstration here [7].

How should I update TBB settings?

Fortunately there are two things that we can do about this. The better solution is to disable the browser to load any fonts except four of them. This can be done by opening the advanced font settings window (Settings > Content > Advanced) and unselecting the option that “websites could choose fonts on their own”. This will provide sufficient protection with all of the four privacy levels that TBB offers. The other possibility is to use the highest privacy setting offered by TBB, but that will further degrade user-experience, and as discussed above, it is not bullet-proof. 

This setting could help with preserving anonymity while waiting for the new stable release to deliver a working solution. (That would desirably also cover the vulnerability against another type of fingerprinting [8].)

Gábor Gulyás, Gergely Ács, Claude Castelluccia

EDITED (2015-12-01): Typekit example removed (our example is enough now).

Footnotes and links

[1] In the Panopticlick experiment fonts alone measured a 13.9 bit entropy over 286,777 users. After plugins, it was the second most unique property of browers. The paper is available here:

[2] Fonts could be extracted in a way that allows cross-browser fingerprinting. Paper:

[3] If you are using TBB, and open about:config, you’ll find two TBB specific settings on this called as browser.display.max_font_count and browser.display.max_font_attempts.

[4] Check here:


[6] A workaround was suggested here:

[7] CSS-based font tester:

[8] Further information can be found in the related ticket and article on the subject.

Tags: tor, anonymity, tbb, bug





No comments.

Post new comment

Anyone can comment, in case of unregistered senders all fields are optional. Comment can be anonymous.

Confirmation code. (Generate new confirmation code.)

BBCode is a simple markup language used for formatting comments. Valid codes are:

bold: [b]Maecenas at nisl.[/b]
italics: [i]Maecenas at nisl.[/i]
underline: [u]Maecenas at nisl.[/u]
url: [url][/url], [url=]Maecenas at nisl.[/url]
image: [img][/img]
quote: [quote]Maecenas at nisl.[/quote]
code: [code]Maecenas at nisl.[/code]
size: [size=12]Maecenas at nisl.[/size]
color: [color=#FF0000]Maecenas at nisl.[/color]


© International PET Portal, 2010 | Imprint | Terms of Use | Privacy Policy