Abstract
The onion router (Tor) is currently the most powerful and prominent tool to achieve online privacy on the Internet. As a browser, Tor can protect web users by not revealing the source or destination IP address, and it also prevents web tracking with HTTP cookies. Tor browser has been updated continuously to resist de-anonymizing attacks by restricting the browser’s functions, e.g., excluding all plugins such as Flash player. On March 2016, Jose Norte posted the article as “Advanced Tor Browser Fingerprinting” in his blog [37]. It suggested that browser fingerprinting can track Tor browser. In this paper, we examined how secure Tor browser version 5.5 is against browser fingerprinting. Our study concludes that Tor user accesses can be distinguished: 14.28% of Tor browser version 5.5 can be identified within two weeks at our experimental sites, although 70.0% of the older versions can. In this paper, we analyze the current features of Tor browser against browser fingerprinting and also show capabilities to track Tor browser accesses.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Ball, J., Schneier, B., Greenwald, G.: NSA and GCHQ target Tor network that protects anonymity of web users. http://www.theguardian.com/world/2013/oct/04/nsa-gchq-attack-tor-network-encryption. Last accessed 15 Feb 2016
de Montjoye, Y.A., Radaelli, L., Singh, V.K., Pentland, A.: Science 347, 536–539 (2015)
Tor project: FAQ. https://www.torproject.org/docs/faq.html.en. Last accessed 15 Feb 2016
W3techs. http://w3techs.com. Last accessed 15 Feb 2016
OpenAM. http://openam.forgerock.org/. Last accessed 15 Feb 2016
Tor project. https://www.torproject.org/. Last accessed 15 Feb 2016
Perry, M., Perry, E., Murdoch, S.: The Design and Implementation of the Tor Browser DRAFT. https://www.torproject.org/projects/torbrowser/design/. Last accessed 15 Feb 2015
Panchenko, A., Niessen L., Zinnen, A., Engel, T.: Website fingerprinting in onion routing based anonymization networks. In: Proceedings of the 10th ACM Workshop on Privacy in the Electronic Society (2011)
Eckersley, P.: How Unique is Your Web Browser? In: Proceedings of the Privacy Enhancing Technologies Symposium. LNCS, vol. 6205 (2010)
The WebKit Open Source Project. https://trac.webkit.org/wiki/Fingerprinting. Last accessed 15 Feb 2016
Takei, N., Saito, T., Takasu, K., Yamada, T.: Web browser fingerprinting using only cascading style sheets. In: Proceedings of the 10th International Conference on Broadband and Wireless Computing, Communication and Applications (BWCCA) (2015)
Takasu, K., Saito, T., Yamada, T., Ishikawa, T.: A survey of hardware features in modern browsers: 2015 edition. In: Proceedings of the 9th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS 2015) (2015)
Mozilla wiki. https://wiki.mozilla.org/fingerprinting. Last accessed 15 Feb 2016
Kwon, A., AlSabah, M., Lazar, D., Dacier, M., Devadas, S.: Circuit fingerprinting attacks: passive deanonymization of tor hidden services. In: Proceedings of the USENIX 2015 (2015)
Boda, K., Földes, A., Gulyás, G., Imre, S.: User Tracking on the web via cross-browser fingerprinting. In: Proceedings of the 16th Nordic Conference on Information Security Technology for Applications (2011)
Kiryu, N., Iso, Y., Kaneko, Y., Saito, T.: Estimation of Number of CPU Cores Using with Web Workers. In: Proceedings of the Computer Security Symposium (CSS 2014) (2014). (in Japanese)
Panopticlick, How unique and trackable is your browser? https://panopticlick.eff.org. Last accessed 15 Feb 2016
NoScript. https://noscript.net/. Last accessed 1 Feb 2015
Fifield, D., Egelman, S.: Fingerprinting web users through font metrics. In: Proceedings of the Financial Cryptography and Data Security 2015. Lecture Notes in Computer Science, vol. 8975 (2015)
Iovation Inc. https://www.iovation.com. Last accessed 15 Feb 2016
BlueCava Inc. http://www.bluecava.com. Last accessed 15 Feb 2016
41st Parameter Inc. http://www.the41.com/. Last accessed 1 May 2015
AddThis Inc. http://www.addthis.com/. Last accessed 15 Feb 2016
ThreatMetrix, https://www.threatmetrix.com/. Last accessed 15 Feb 2016
Mowery, K., Shacham, H.: Pixel Perfect: Fingerprinting Canvas in HTML5. In: Proceedings of the Web 2.0 Security and Privacy (W2SP) (2012)
Kiryu, N., Goto, H., Saito T.: A proposal of estimating of CPU architectures by JavaScript engine. In: Proceedings of the 75th National Convention of Information Processing Society of Japan (IPSJ) (2013). (in Japanese)
Faizkhademi, A., Zulkernine, M., Weldemariam, K.: Empirical evaluation of web-based fingerprinting. IEEE Softw. 32, 46–52 (2015)
Lu, T., Yao, P., Zhao, L., Li, Y., Xie, F., Xia, Y.: Towards attacks and defenses of anonymous communication systems. Int. J. Secur. Appl. 9(1), 313–328 (2015)
Nikiforakis, N., Kapravelos, A., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: Cookieless monster: exploring the ecosystem of Web-based device fingerprinting. In: Proceedings of the 34th IEEE Symposium of Security and Privacy (IEEE S&P 2013) (2013)
Boda, K., Földes, Á.M., Gulyás, G.G., Imre, S.: Tracking and Fingerprinting in E-Business: New Storageless Technologies and Countermeasures (2013)
Upathilake, R., Yingkun, L., Matrawy, A.: A classification of web browser fingerprinting techniques. In: Proceedings of the IFIP New Technologies, Mobility, and Security (NTMS), pp. 1–5 (2015)
Goodin, D.: How the NSA might use Hotmail, Yahoo or other cookies to identify Tor users. http://arstechnica.com/security/2013/10/how-the-nsa-might-use-hotmail-or-yahoo-cookies-to-identify-tor-users/. Last accessed 15 Feb 2016
Dingledine, R., Mathewson, N., Syverson, P.: Tor: the second-generation onion router. In: Proceedings of 13th USENIX Security Symposium (2004)
Alexa Internet, Inc. http://www.alexa.com. Last accessed 15 Feb 2016
Doty, N.: Fingerprinting guidance for Web specification authors. http://w3c.github.io/fingerprinting-guidance/. Last accessed 16 Feb 2016
Mulazzani, M., Reschl, P., Huber, M., Leithner, M., Schrittwieser, S., Weippl, E.: Fast and reliable browser identification with JavaScript engine fingerprinting. In: Proceedings of Web 2.0 Workshop on Security and Privacy (W2SP) (2013)
Norte, J.: Advanced Tor Browser Fingerprinting. http://jcarlosnorte.com/security/2016/03/06/advanced-tor-browser-fingerprinting.html. Last accessed 15 May 2016
Acknowledgments
This work was supported by JSPS KAKENHI Grant Number 26330162. We are deeply grateful to Y. Nishikura for this work.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG
About this paper
Cite this paper
Saito, T., Takahashi, K., Yasuda, K., Tanabe, K., Taneoka, M., Hosoya, R. (2018). Tor Fingerprinting: Tor Browser Can Mitigate Browser Fingerprinting?. In: Barolli, L., Enokido, T., Takizawa, M. (eds) Advances in Network-Based Information Systems. NBiS 2017. Lecture Notes on Data Engineering and Communications Technologies, vol 7. Springer, Cham. https://doi.org/10.1007/978-3-319-65521-5_44
Download citation
DOI: https://doi.org/10.1007/978-3-319-65521-5_44
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-65520-8
Online ISBN: 978-3-319-65521-5
eBook Packages: EngineeringEngineering (R0)