How to Use the scroll wheel to move data to obtain the fingerprints of anonymous users in Tor browsers

How to Use the scroll wheel to move data to obtain the fingerprints of anonymous users in Tor browsers

The ability to communicate secretly through the Internet is very important to political and activist groups. Then, almost everyone cares about the privacy of the Internet.
Although Tor networks provide users with a high level of privacy and security, most people can hardly find users' real IP addresses. However, this is not enough to protect users' privacy. When you browse a webpage, your identity may be leaked due to browser vulnerabilities, cookies, browser history records, browser plug-ins, and other issues.
Tor browser is a Firefox browser that uses Tor for reservation. When a user views a web page, it can protect its privacy. Browser plug-ins are disabled, and browsing records and cache are not persistent storage. If you close your browser, all traces will be erased.
User fingerprint recognition problems
Preventing the leakage of users' IP addresses is a key point to protect their privacy. We also need to consider many other things. Some Tor browser configurations may prevent many things that may obtain user privacy, not just the communication protection provided by Tor network.
Tor browser tries to solve a general problem, that is, user fingerprint. If a user can generate a unique fingerprint on a website, the tracker can identify each user accessing a specific page of the website to track the activity of the user in time. For example, if there is a similar access record in a year, we may determine it as the same user.
Worse, the tracker may match you to the same fingerprint when you access the normal network. Tor has made a lot of effort to prevent the tracker from identifying the user through fingerprint.
In the past, we have seen many fingerprint identification methods, and Tor browser naturally made corresponding countermeasures. For example, the size of the read text, screen size, local time, and operating system information.
Canvas fingerprints are well-known in browser fingerprints. However, many fingerprints that can be used to identify a user are nearly disabled in the Tor browser.
UberCookie
In the past few weeks, I have been able to identify the fingerprints of tor browsers in a controllable environment. Here we will share some interesting research results to further discuss how to improve Tor browsers.
The fingerprint identification method is provided here based on Javascript. Currently, Tor browsers are enabled by default. I created a simple and effective POC called UberCookie.
UberCookie demo
Measurement time
Tor browser has an interesting fingerprint, that is, the Javascript function Date. getTime () (unix time) will refresh every MS, so you cannot measure events less than Ms. This prevents the Javascript code on a specific web page from measuring the matching of user fingerprints. So I tried some events. to bypass this restriction, they would exceed 100 ms.
In fact, there are many ways to use Javascript to measure events that are less than ms in the Tor browser, some of which are obvious and some seem very interesting.
First, I added a simple variable that uses setInterval to increase the count per second. Even if the precision is not millisecond-level, it is better than the ms precision provided by Date. getTime.
Another way to measure the time is to create an animation with css3, configure the interval of 1 ms, and listen to the animationiteration event.
However, I use setInterval on the web to increase progressively to achieve better results.
Mouse wheel fingerprint
The mouse wheel event of Tor browser (the same for most browsers) may expose potential hardware information when scrolling in web pages. This event provides delta scroll wheel information. However, if you use a normal computer mouse, delta will be three. However, if you are using a touchpad, the delta quantity is changed to a variable value, which will be linked to your touchpad and usage mode.

The scroll wheel may also leak operating system information and hardware performance information due to its rolling speed.
I created an available lab POC here:
Scroll wheel Information Leakage demo
This demo creates three charts, one of which is related to the rolling speed, the other is linked to the delta, and the last one is related to the number of user scrolling times.
Mouse speed fingerprint
Another interesting fingerprint can reveal some information, that is, the speed at which the mouse moves on the webpage. Because the speed of mouse movement is controlled by the relevant operating system and hardware, if you use the time measurement policy mentioned above, it can be read by Javascript.
It may be interesting to measure the average speed of mouse movement on a webpage.
CPU Benchmark fingerprint
With the increase in the precision of setInterval on the web, we can create a CPU (or memory) Intensive script and try how much time the user's browser will spend executing it.
I found different computers and tested them. In the same Tor browser version, I got totally different results.
GetClientRects fingerprint
The most interesting fingerprint vector I found on the tor browser is getClientRects, which prevents reading the return value from the canvas,
However, it will ask the javascript API how a specific DOM element will be painted on the screen, and there is no restriction or protection here.
GetClientRects can get the precise pixel position and the size of the box drawn by a given DOM element. GetClientRects returns different results based on resolution, font configuration, and other factors. This allows us to quickly and easily obtain the fingerprint vector, which is better than the fixed canvas fingerprint.
Use Cases of getClientRects on the same page, tor browser of the same version, and different computers:
Computer 1:

Computer 2:

As you can see, getClientRects is very different from the same DOM element on the same page.
Lab results
The case of POC using ubercookie on Computer 1:
Clientrects: {"x": 131.5, "y": 462, "width": 724, "height": 19, "top": 462, "right": 855.5, "bottom": 481, "left": 131.5}
Scrollingmilis, 4,405, ,]

Scrollingdeltas: [3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
Biggest mouse step: 65
In a few seconds, the result of theCPUbenchmark will appear, please wait...
CPU Mean: 3245
The POC case for using ubercookie on computer 2 (same version of Tor browser ):
Client rects: {"x": 159.51666259765625, "y": 465.25, "width": 664.6500244140625, "height": 18.449996948242188, "top": 465.25, "right": 824.1666870117188, "bottom": 483.6999969482422, "left": 159.51666259765625}
Scrolling milis: [, 0,,, 2]
Scrolling deltas: [3, 0.975, 1.65, 1.5, 1.725, 2.25, 2.775, 2.4, 3.15, 3.375, 3.975, 3.675, 4.35, 4.95, 5.625, 5.55, 5.25, 5.25, 4.2, 6.3, 9.975, 13.95, 7.575, 6.9, 2.85, 5.925, 8.85, 0.9, 4.425, 3.675, 4.725, 2.625, 2.4, 5.475, 2.625, 3.675, 5.4, 5.775, 7.275, 6.975, 8.175, 9, 8.475, 3.45, 2.475, 2.25, 0.6, 1.8, 11.1, 8.4, 8.475, 8.1, 7.5, 6.375, 8.175, 4.95, 4.8, 4.275, 3.525, 3.375, 1.125, 2.7, 2.175, 1.95, 1.65, 1.2, 1.05, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
Biggest mouse step: 40
In a few seconds, the result of the CPU benchmark will appear, please wait...
CPU Mean: 4660.5
Obviously, getClientRects is completely different. It provides us with an interesting fingerprint vector. The rolling speed of milis is different, and the rolling delta is also different, because the hardware is different. You can see in the above data that the mouse on Computer 1 is the fastest. The CPU benchmark provides different results. Computer 1 is obviously faster than computer 2.
Conclusion
Even with Tor browsers, users can easily track their network activities and associate their access to different pages. GetClientrects provides an interesting fingerprint vector for identifying Tor browser users. The CPU benchmark, the scroll wheel, and the mouse speed provide more judgment information for similar users.