back to article Tor users, beware: 'Scheme flooding' technique may be used to deanonymize you

FingerprintJS, maker of a browser-fingerprinting library for fraud prevention, on Thursday said it has identified a more dubious fingerprinting technique capable of generating a consistent identifier across different desktop browsers, including the Tor Browser. That means, for example, if you browse the web using Safari, …

  1. Pascal Monett Silver badge
    Stop

    web links like "skype://" or "slack://"

    These things should absolutely be forbidden and blocked by default.

    I do not want a browser to be able to launch anything on my computer. A browser's job is to allow me to browse the Web, not my application list.

    1. John Robson Silver badge

      Re: web links like "skype://" or "slack://"

      ftp:// ? (or more usefully sftp://

      The whole point is that it's a protocol definition - it's explicitly there to enable more than just http, otherwise it wouldn't be needed at all.

      1. Cynic_999 Silver badge

        Re: web links like "skype://" or "slack://"

        But the protocol should be implemented in the browser (as ftp protocol is), not passed off to a completely different application. IMO this should include "mailto://" - either the browser should bring up a "not available" message or should implement an outgoing mail client in the browser itself (or browser add-on) rather than opening the OS default mail client.

        1. John Robson Silver badge

          Re: web links like "skype://" or "slack://"

          That rather breaks the point of the link doesn't it.

          Not everyone wants their browser to do everything, but having a mailto link is pretty darned useful.

          What ought to happen is that you get a "choose what program you want to use to open this URL, since I don't know anything about it", and that should be the same prompt for any unknown protocol, and the webpage should have no idea what's happened to it. The browser says "OK, mine now", and then decides what to do.

          1. John Brown (no body) Silver badge

            Re: web links like "skype://" or "slack://"

            "Not everyone wants their browser to do everything, but having a mailto link is pretty darned useful."

            That's the point though, isn't it. Others may not see the point in their browser being able to follow a mailto:// link because they never use a mail client, but are very happy that it will follow/launch a skype:// link.

            1. John Robson Silver badge

              Re: web links like "skype://" or "slack://"

              And what about my suggestion prevents that?

              The "unknown protocol" (which is probably anything other than http(s)/ftp(s)) should be taken by the browser and the page returns as normal. Then the browser asks "what do I do with this?", and you tell it (possibly saving a default behaviour as well).

              Then the browser does the right thing (opens the relevant program to access the URI provided, or asks, or drops it) and the page on which that link was clicked is none the wiser as to what happened, the browser just said "Ok, I've got this".

        2. John Brown (no body) Silver badge

          Re: web links like "skype://" or "slack://"

          "IMO this should include "mailto://" - either the browser should bring up a "not available" message"

          This what my browser does,. hence the inability to use the "helpful" corrections link below the articles :-)

      2. A.P. Veening Silver badge

        Re: web links like "skype://" or "slack://"

        Don't forget "mailto://", the most useful of the bunch.

  2. Flocke Kroes Silver badge

    Problem already solved

    If you're seeing this message, that means JavaScript has been disabled on your browser, please enable JS to make this app work.

    Sure, hold your breathe while I get right on that...

    1. bombastic bob Silver badge
      Meh

      Re: Problem already solved

      I saw that in my main browser, which prompted me to re-try it in the "safe-surfing sandboxed" browser that has script enabled.

      I tested it with chrome on FreeBSD [a version built from ports a while back]. I initially used my "kill history" script that deletes LOTS of those files that chrome tries to use to save data across sessions. I recently increased the size of that list of files to be deleted, when I discovered that I wasn't deleting enough of them any more (certain things were starting to persist across browser sessions).

      *ahem*

      In any case, I did the "deanonymizing" test twice and got two completely different IDs. It does seem to take a while, though. You'd have to do this completely in the background for it to be effective, and over a fairly long period of time.

      But a social media giant that "keeps you on the page" for a while (or runs a web bug script even after a trackable page closes) might still find it practical...

  3. karlkarl Silver badge

    I think many who take privacy really seriously will be running this kind of stuff in separate Jails, Chroots or VMs. So none of these "fake urls" will work anyway.

    Just munging it all together on your main install to wreak havok is a little bit 90's ;)

    1. G Watty What?

      Isn't that the point though?

      The fact you (or the privacy conscious) don't have these apps but I do, is what would make our "fingerprints" different. Therefore this could still be used to differentiate your cohorts interactions from mine.

      The fact the app is detected or not is the trigger. I think the article was trying to say that a bit of JS shouldn't be able to determine that fact, one way or another, however, not having the apps is no real defence.

      Happy to be corrected.

      1. Anonymous Coward
        Anonymous Coward

        Re: Isn't that the point though?

        This is true to the extent that you're the only person who doesn't install the stuff. But in fact there are millions, possibly billions, of browser instances out there (including ours) that support only the default set of URI schemes. The safety lies not in not having the crapware (though that provides safety against other kinds of attacks) but in being one of a huge number of people who don't. This method cannot by itself distinguish you from any of them. Realistically it may at best offer another bit or two of uniqueness in identifying the relatively small number of people who have unusual sets of add-on scheme support.

        This is so ineffective that I suspect it may instead be a research project to learn what the distribution of installed schemes looks like; I'd expect a barbell shape with the majority having only the default set and various "christmas tree profiles" at the opposite end for people who never see a link without clicking it and haven't reinstalled their single-user OS since Windows XP came out. In between there will be a smaller number with a single extension they use because their employer mandates it and then not a whole lot else in between. If so, this fingerprinting method can distinctly identify only a very small number of browsers/users (possibly that number is as small as zero). But I may be wrong!

        TL; DR: When it comes to this kind of fingerprinting, there is safety in numbers.

      2. Anonymous Coward
        Anonymous Coward

        Re: Isn't that the point though?

        It's irrelevant whether you have the apps or not. The right way to use something like to is to create a VM with a stick OS install, buy your guns on the dark web, then delete it.

        The "signature" would be of a stock install and as such would be useless.

      3. John Brown (no body) Silver badge

        Re: Isn't that the point though?

        "Happy to be corrected."

        My impression from the article is that it can fingerprint you on your normal travels through the web and match that to a fingerprint when you use Tor. So the privacy conscious will use different browsers or instances in a sandbox/jail/VM and get a different fingerprint through "normal" browsing and Tor browsing.

        Also happy to be corrected.

  4. This post has been deleted by its author

    1. Cynic_999 Silver badge

      The tor site makes it extremely clear that tor is not of itself sufficient to ensure anonymity. However you are completely incorrect to say that it is likely to get your real IP address banned - the destination site is highly unlikely to know what your IP address is. It might get an online *account* banned. It may well also get you flagged with law enforcement as a "person of interest" if your ISP monitors and logs all connections made via a tor entry node, though the more people who use tor at least occasionaly the less this will be the case. There was a time when anyone sending any encrypted data over the Internet would be flagged as a potential ne'er-do-well. But these days almost all web sites use SSL so encrypted traffic is the norm rather than the exception.

    2. Meeker Morgan

      The benefits of Tor (assuming no additional hanky panky), no more no less than this:

      1) Your IP knows you're using Tor, but not what site you're browsing. If they are not targeting you personally this might afford some privacy.

      2) The site you're browsing knows you're using Tor, but not where you are. One consequence of this is you can get around regional restrictions, but not in a terribly reliable way. If you really need that, use a VPN.

      3) You can access .onion sites.

      That is it.

      Deleting history, cookies, etc at exit can be configured in any of the regular browsers.

      1. bombastic bob Silver badge
        Devil

        Re: The benefits of Tor (assuming no additional hanky panky), no more no less than this:

        chrome (at least the versions I have seen) does not automatically delete privacy tracking info on exit but Firefox can. But for chrome (on Linux or BSD - windows, mac YMMV) you can either delete all of chrome's files in ~/.config and ~/.cache [which gives you back the defaults] or cherry pick and just delete MOST of them until you get all of the ones that track you, but don't actually delete settings you want to keep.

        1. Anonymous Coward
          Anonymous Coward

          Re: The benefits of Tor (assuming no additional hanky panky), no more no less than this:

          If you're using tor because you need to, then use a VM and delete/wipe it once you're done.

          Don't try to protect a normal in-use system.

  5. Graham Cobb Silver badge

    Pretty unreliable

    The browser I am typing this into gave different results each time I tried it. In most cases it claimed it found 23 out of the 24 it looked for - but a different 23 each time (and most of the apps are definitely not installed on this Linux system).

    Another much more locked down browser I use for looking at links I am investigating (like ones I suspect are phishing) was (ironically) more stable - it gave me the same 22 out of 24 each time (although, again, most of those apps are not really present).

    My Tor Browser config gave a completely repeatable 0 out of 24. Of course, without JS turned on it didn't work at all.

    However, the point remains that this is a real tracking vulnerability. And the unreliability on my system may be due to unusual timings or other things which could be fixed in the javascript.

    1. Richard Tobin

      Re: Pretty unreliable

      It gives me different results in Firefox and Safari, and several of the programs were ones I've never even heard of, much less installed.

    2. Dog11
      Holmes

      Re: Pretty unreliable

      I tried 5 different browsers (Edge, Firefox, Vivaldi, Brave, Pale Moon). Edge and Brave returned the same fingerprint, Vivaldi and Firefox gave different fingerprints, Pale Moon hung wanting to know what app to open the Skype bit with. All seemed to think I had Skype (I don't), and Spotify was popular (don't have that, either). Firefox thought I had all 24 of the apps tested. So the demo isn't very threatening. Yet.

  6. Anonymous Coward
    Anonymous Coward

    Additional shortcomings

    Not mentioned are two major additional shortcomings that make this all but useless in practice: first, most browser instances will support the default collection of URI schemes shipped with it (because there's no guarantee that everyone, or even anyone, will install third-party extensions that support others), which means most sessions will resolve to the same fingerprint. So maybe it should be called Bertillon numbers instead. Second, there's no real reason these should work across browsers: each browser can have its own collection of extensions installed and even expose a different set of supported schemes to different user profiles. They are relying on desktop environment (mis-)features and a shotgun approach to extension installation by third-party (mal-)software that are easily defeated by users willing to do some trivial work. Which admittedly probably has considerable overlap with the set of users who wouldn't install this crap in the first place, but still.

    Bottom line: there's one more highly ineffective and inefficient way to fingerprint users who have consciously chosen to take zero interest in their own privacy by installing a fleet of third-party crapware and letting it shit all over their entire accounts. This is surely the very least of their many problems, and for the rest of us it's not a real problem at all.

  7. iron Silver badge
    FAIL

    Does not work

    This doesn't really work. For a start I see a bunch of popup windows appear in both Firefox and Edge so I can see it happen and could prevent it.

    The cross-browser fingerprint doesn't work - I see different identifiers in Firefox and Edge. Firefox missed that I have MS Word installed. Edge thought I have all 24 tested apps installed when I only have 10 installed. Both results are repeatable.

  8. A.P. Veening Silver badge

    It didn't work on Opera and gave pretty different results between Chrome and Firefox, missing some present in Chrome and reporting some not present in Firefox. For now I am not too worried.

  9. TWB

    Variable results

    I tried this on Brave, Tor, Firefox, Vivaldi, Safari and Opera. Only Brave and Tor had matching results (which is a shame as I like Brave best at the moment), though Vivaldi was close..... Safari just stalled and Opera failed to open the page at all.

    I guess similar results to others here.

  10. DS999 Silver badge

    Simple solution

    Have browsers only accept mailto: by default, if another app launcher is attempted it should ask for the users OK to enable it and what app to use. The rest are used by a small minority of the web browsing public, and should not be enabled - no need to confuse grandma by clicking on a "slack:" link, having it report there's no slack application, and calling her grandson for tech support over it.

    This issue may bigger to me than just fingerprinting me. If a malicious web site can trick the user to into clicking something that looks like a link ("next page") they want to click, but is really an app launcher, all the malicious web site needs is some type of bug in the app they can exploit and they could take over the user's device with a single click no matter how secure the browser itself was!

  11. mark l 2 Silver badge

    I ran it on Firefox on Linux and it correctly identified I had Skype & Telegram. When I tried Chrome on Linux it warned it might not work and indeed it incorrectly identified I had Spotify installed when its not but didn't detect Telegram. So not much use to fingerprint if your using multiple browsers on Linux.

    As for TOR if your serious about keeping your original IP hidden from the site you are visiting then you won't be connecting with JS enabled anyway so this fingerprint technique wouldn't work. So a bit of a click bait title to this article.

  12. MidgetOfDoom

    Why would you be browsing TOR with javascript enabled?

  13. Pascal Monett Silver badge
    FAIL

    Okay, I bit the bullet

    I came back to this article and decided to try the schemeflood link.

    What I got was : "If you're seeing this message, that means JavaScript has been disabled on your browser, please enable JS to make this app work. "

    NoScript FTW, again.

  14. NITS

    This is your identifier. It was seen 1900 times among 23038 tests so far.

    That means it is 91.75% unique.

    Want to try again?

    We have generated your identifier based on 0 applications you have installed.

    Out of 24 applications in our database.

    Firefox, Linux Mint.

    1. Doctor Syntax Silver badge

      "That means it is 91.75% unique."

      A bit like being 91.75% pregnant.

  15. SketchyScot

    Didn't run in Brave browser either, script blocking option also stops it completely.

  16. VTAMguy

    Fail

    Running on desktop Firefox 88 under Linux, this web page generates a list of applications I've supposedly installed, none of which are actually installed and many of which I've never heard of. Re-running it generates a brand new set of fictitiously installed applications and a new id number every time. I heartily endorse this new tracking scheme and encourage all advertisers to spend lots of money on it.

  17. nagyeger
    Black Helicopters

    Sort of worked for me...

    + Old copy of palemoon (v. rarely used) opened up 3 recognisable and correct 'what do I do with this' windows, but it detected the non-errors, and said I had those three protocols available.

    + Firefox didn't open up the windows but it did give me the same 3 protocols.

    - Epiphany-browser thought I have all 24 apps

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021