73

Whenever I maximize the Tor browser, it shows a warning:

Maximizing Tor Browser can allow websites to determine you monitor size, which can be used to track you...

How can screen resolution or monitor size be used to track a person?

Peter Mortensen
  • 877
  • 5
  • 10
Anurag
  • 917
  • 1
  • 7
  • 14
  • Unfortunately I can not find it anymore, but a while ago there was some site that was trying to generate a fingerprint from all it could gather about you, not only the screen resolution. It was telling you how many different systems with that fingerprint it already saw. I was never able to find any configuration that was not unique ... – PlasmaHH Oct 09 '15 at 10:40
  • 3
    @PlasmaHH probably the EFF Panopticlick: https://panopticlick.eff.org/ – Cosmic Ossifrage Oct 09 '15 at 13:08
  • 1
    @CosmicOssifrage: Yep, that looks like it. Quite useful to get an idea for these informations. – PlasmaHH Oct 09 '15 at 13:13
  • 1
    @PlasmaHH: Visited the website, took the test. Yes, the "fingerprint" they extracted is unique... to the point of being useless for tracking. The reason that real world fingerprints are useful is because they stay with a person through one's whole life. The panopticlick "fingerprint" changes with every browser patch. – Ben Voigt Oct 09 '15 at 17:26
  • I think that this question can be better if you ask why you can be tracked by any screen size if you don't have JavaScript enabled – Freedo Oct 16 '15 at 22:29

4 Answers4

60

All Tor browser users are asked to surf pages using the default window size. So if you follow this practice, you are just like other users; I mean the screen resolution won't be used as a factor to identify you.

From here, you can read an interesting comment that fits your question:

Using an unusual screen resolution was sufficient to identify me uniquely to panopticlick. With my portrait mode screen resolution of 1200 wide by 1920 high, the default window size of 1000x1765 was unique, no resizing or maximizing needed.

Visit browswerspy webpage that implements a demo where you can find out information about your screen including width, height, DPI, color depth, font smoothing.

Conclusion: do not distinguish yourself from others. Act as everybody else.

  • 3
    The real question is, why couldn't Tor return a "fixed screen size" to the javascript requesting the screen sizes even when you have it maximized? Why doesn't Tor implement standard *Tor Pixels* that are the same throughout all users regardless of whether you have it maximized or not? – Pacerier Oct 08 '15 at 06:58
  • 11
    @Pacerier That would require a bit more tooling *within the browser*, not just regarding how the network traffic is handled. If Tor had its own browser, of course, this would be perfectly doable -- but that's a rather tall order, and that browser itself would instantly become a much more interesting target than Tor currently presents (the slightest mistake within a "Tor browser" would be a much more certain fingerprint/giveaway than a particular screen resolution). – zxq9 Oct 08 '15 at 07:04
  • 1
    @Pacerier HA HA HA. I spoke too soon. Tor has changed since last I messed with it. Doing its own browsery things is... well, whatever. There is no longer the faintest hope of being secure doing anything on the "web" against a determined attacker that can map even a tiny part of the network (as opposed to the internet, but even that is tricky). – zxq9 Oct 08 '15 at 07:08
  • 7
    @Pacerier Because generally people expect webpages to adjust to fit their screen... – user253751 Oct 08 '15 at 07:55
  • 3
    @immibis That adjustment could be done by the browser reflowing the content to match the window size without the JS ever getting the window size. – Reinstate Monica Oct 08 '15 at 20:40
  • @Solomonoff'sSecret That works, except for the websites that really do use JavaScript to control layout, which there's an increasing amount of these days. – user253751 Oct 08 '15 at 23:27
  • 2
    It's also possible to determine browser viewport size by setting up list of CSS media queries to load different image url for all possible viewport sizes and even combine that with other media types like color capabilities and DPI. – Māris Kiseļovs Oct 09 '15 at 05:00
  • 2
    @MārisKiseļovs Ideally all of that would be possible to do declaratively using CSS. But perhaps privacy wasn't a priority when the standards were drafted. – Reinstate Monica Oct 09 '15 at 14:34
  • @zxq9, The context of the answer is **Tor Browser**, not tor network. And yes, Tor (browser) actually does do many fixes to the browser itself.. just look at all the extra plugins they add. From the 11 upvotes your comment receives, it looks like this page is getting a lot of attention from laypeople who don't quite know how things work ;) – Pacerier Oct 19 '15 at 12:23
  • @immibis, You're missing the point. The whole point of the implementation of *Tor Pixels* is that they stretch to fit the screen. The "screen pixels" are mapped to [virtual ones](http://www.quirksmode.org/mobile/viewports.html) implemented by Tor browser. For non-webdevelopers, basically it's something like changing screen resolution, but Tor browser does the translation, not the OS. Which is why it **works even** for websites that *"really do use JavaScript to control layout"*. – Pacerier Oct 19 '15 at 12:23
  • 2
    @MārisKiseļovs, No that will not work because "CSS media queries" are getting their values through the browser, and the browser (Tor) is free to return the virtual values **after translation**. It'll be considered a security vulnerability that needs to be fixed asap if that works. – Pacerier Oct 19 '15 at 12:24
  • 1
    @Pacerier I suspect that the number of upvotes my comment generated was about the Tor browser *itself* presenting a perfect target that obviates the need for (most) attacks on the network. This depends on the goal of the attacker, of course, but as Tor is primarily used as an anonymizer, this presents a particularly obvious problem with the system (not to mention dramatically narrowing the target if your goal is to simply take over or break out of the browser itself). – zxq9 Oct 19 '15 at 14:00
  • @zxq9, Which is exactly why I said "it looks like this page is getting a lot of attention from laypeople who don't quite know how things work". Because such a bug within Tor browser would be classified as a fatal vulnerability. It will have the same magnitude as that of a bug in the Tor network. (That bug can claim the [£65,000 reward](http://www.expertreviews.co.uk/software/internet-security/1401061/why-the-tor-browser-and-your-privacy-are-under-threat) from the Russian gov.) So Tor browser is not a "perfect target" any more than Tor network is. [cont] – Pacerier Nov 11 '15 at 01:07
  • 1
    [cont] The key point to note is that Tor browser is the **main focus** of the Tor project, not merely an addon. [Political activists and journalists](https://www.torproject.org/about/torusers.html.en#journalist) in oppressed countries do not use Tor-network-with-some-other-browser, they use Tor browser. People will literally get executed when there are fatal privacy bugs in this program. – Pacerier Nov 11 '15 at 01:08
  • 2
    @Pacerier Its good to know that the Tor browser is the only bug-free software in the world. Quite an achievement. Its also good to know that governments have suddenly changed their gameplan and no longer use vulnerabilities to collect continuous data on the evolution of opposition groups and instead mindlessly arrest and execute people overnight when they don't toe the line. <- All that, that's fantasy. Political suppression is a *much* more subtle game than that and the Tor browser itself is a *fantastic* target for subversion by authorities. – zxq9 Nov 11 '15 at 06:53
  • 1
    @zxq9, It's odd you'd think Tor is bug-free, especially when Tor has [multiple](http://arstechnica.com/security/2015/04/bugs-in-tor-network-used-in-attacks-against-underground-markets/) security flaws which have flooded news channels. Let's read the words of your previous comment in context again: Your point is "*Tor browser itself presenting **a perfect target*" when compared to the Tor network**, and my point is clear: Tor browser is the main focus of the Tor project, not merely an addon. A bug within Tor browser have the same magnitude as that of a bug in the Tor network. – Pacerier Nov 12 '15 at 02:31
  • The issue with media queries is simple to fix. Just download all medias at page load concurrently. The attacker may infer that you're using Tor, but they can't identify anything further than that. The drawback is higher bandwidth usage. – Lie Ryan Nov 30 '15 at 16:24
44

Perhaps it's worth mentioning that the impact of resizing your browser on your privacy heavily depends on what window size you set. Maximizing Tor browser on a screen with a standard resolution like 1280x1024 or 1080p is not too bad - lost of people have screens like that, and you probably won't end up being the only one with that resolution. The adversary will still be able to tell that you're running Tor on a desktop PC rather than laptop - those often have WXGA resolution, or something model-specific which is worse if you want to stay private.

The worst thing you can do is to resize the Tor browser manually to a random size instead of maximizing it. The adversary won't have a clue about the hardware you're running on, but you will probably be the only person with that browser size on each site you visit. This means your activity can be tracked - the adversary will know that sites A, B and C were visited by the same person (you), despite the fact that Tor used three different IPs to access those sites.

EDIT: One thing I would like to add here: running a browser with JavaScript support with Tor is something I wouldn't do at all. Screen size aside, JavaScript provides numerous options for tracking. For example, Google is able to distinguish users from bots by the way you click on a button, and that same algorithm could probably be tuned to identify individual users as well.

Dmitry Grigoryev
  • 10,072
  • 1
  • 26
  • 56
  • 5
    Best answer IMO... No one is going to be able to track you if you are using one of the 3 or 4 standard screen resolutions. Random window sizes, however, would be very unique. – JPhi1618 Oct 08 '15 at 13:10
  • 4
    Supposing that the sizing of your toolbars and window decoration matches that of everyone else. – Ángel Oct 08 '15 at 22:17
  • @Ángel, this is a valid remark, but I expect this to be the case across different Tor browser versions. One can certainly customize his instance at the cost of their privacy. – Dmitry Grigoryev Oct 09 '15 at 07:47
  • 2
    @DmitryGrigoryev it's not about the toolbars of the browser, but rather the graphical user interface configuration of the operating system the browser is running on. People usually have some sort of task bars and monitors at the sides of the screen, and window decoration differs because of different operating systems, window managers and their themes... – dbanet Oct 11 '15 at 09:19
13

Client-side code (JavaScript) on a web site you visit has access to screen resolution and other settings. Often the combination of these settings are unique enough to match your current session (which may be protected by tor) with some other session that is not protected by Tor. Following the fingerprint analogy, if you use Tor but have a non-default window size, it can be unique enough that it is like you are leaving a fingerprint at a web site you visit. And with that fingerprint, they can track you to other web sites.

mcgyver5
  • 6,807
  • 2
  • 24
  • 45
  • 2
    The Tor browser masks your screen resolution by saying it's the same as your browser window size. – Mark Oct 07 '15 at 19:02
  • 1
    @Mark - doesn't that make it _more_ fingerprintable? Most people don't have consistent browser sizes unless they're maximized, and even a maximized window is quite informative since it won't include your taskbar and related items, all of which can vary in size (icon size, multiple rows, etc). – Adam Katz Oct 07 '15 at 22:34
  • 7
    @AdamKatz, it makes it easy to detect the use of the Tor browser. It makes it very difficult to tell users of the Tor browser apart, because the Tor browser starts up with a standard window size. – Mark Oct 07 '15 at 22:40
  • 6
    And detecting use of the Tor browser is already easy (the list of Tor exit nodes is public for one thing). Tor does not attempt to hide the fact that you are using Tor; it just tries to make you look as much like any other Tor user as possible. – Zach Lipton Oct 08 '15 at 03:36
  • The Tor browser itself is the largest threat to Tor. – zxq9 Oct 08 '15 at 07:06
2

... and just to clarify "track": if you go from their page X to their page Y, they can tell that somebody with the same resolution visited both pages, and maybe with enough information (see @Begueradj answer above) they could even guess correctly whether or not it was the same person.

... and "they" is the web host: If you then go to somebody else's page A, then the process starts over with that new somebody else.

... but they wouldn't necessarily know (from that alone) who that person was. They can't really track you across different web sites (unless they host both sites), and they'd need to piece together with something else to figure out who it actually was. Though the three different IP addresses might tell them it's a TOR user.

woodvi
  • 159
  • 3
  • 2
    The way you have written this answer makes it very difficult to read. Can you re-write this to make direct statements related to the questions? – schroeder Oct 08 '15 at 15:59