Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

An option to hide CPU cores number #181

Closed
BananaMangoFestival opened this issue Sep 14, 2016 · 10 comments
Closed

An option to hide CPU cores number #181

BananaMangoFestival opened this issue Sep 14, 2016 · 10 comments
Labels
fingerprinting needs more info

Comments

@BananaMangoFestival
Copy link

BananaMangoFestival commented Sep 14, 2016
edited
Loading

Javascript reveals your CPU cores number (even with a CPU override option) as we can see here :

So I found out an option to fake this, in about:config, limit "dom.workers.maxPerDomain" to the number that you want (0 = no threads (Tor displays no threads with these websites)) and restart Firefox.

EDIT : This thing has been integrated only since the 48 version of Firefox, I tested with the 47 version and it displays no threads, like Tor. (there is no line "Hardware Concurrency" in browserleaks while there is one in the 48)

So if you're using a useragent that displays a version prior to 48, you should logically put 0.
@pyllyukko
Copy link
Owner

Hmm. It sounds like the dom.workers.maxPerDomain might actually affect Firefox's performance.

Tor Browser has this settings at 20 but probably just spoofs it to the sites.

@Atavic Atavic mentioned this issue Feb 26, 2017
Closed
14 tasks
@Atavic
Copy link

Atavic commented Feb 26, 2017

The user agent MAY report fewer than the number of actual logical processors to reduce the efficacy of fingerprinting.

https://wiki.whatwg.org/wiki/NavigatorCores#Privacy_considerations

@pyllyukko
Copy link
Owner

Somewhat related: #13027 (Make WebWorkers use spoofed navigator.* useragent values)

@pyllyukko
Copy link
Owner

I don't think dom.workers.maxPerDomain is the answer here, as Tor Browser also has it at 20. What is the proper method to deter this fingerprinting?

@Atavic
Copy link

Atavic commented Jun 27, 2017
edited
Loading

dom.workers.maxPerDomain set to 0 is an incorrect choice.

Deterring methods

Like #128 it's Webworkers that test your browser. These scripts ignore the webpage CSP and
you can limit them by injecting CSP Policies, like explained here.

I don't know yet if Request Policy has similar features.

@Thorin-Oakenpants
Copy link

Thorin-Oakenpants commented Jun 28, 2017
edited
Loading

What is the proper method to deter this fingerprinting?

privacy.resistFingerprinting [FF55+ .. only 7 more weeks to go, hang in there!!]

 ** spoof navigator.hardwareConcurrency as 2 (FF55+)
   This spoof *shouldn't* affect core chrome/Firefox performance
   [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1360039

They use 2 since that is the most common metric - https://metrics.mozilla.com/firefox-hardware-report/

Meanwhile: DON'T use this one - fairly sure (and not just me) that this will cripple/affect performance - imagine having 16 cores and being limited to 2 [we could of course be wrong about this - I've never tested e10s with this pref etc, but now 54 is here, maybe someone could have a play]

/* 2514: spoof (or limit?) number of CPU cores (also see 2699f) (FF48+)
 * [WARNING] *may* affect core chrome/Firefox performance, will affect content.
 * Highly recommended to leave this (dom) and use 2699f (navigator)
 * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1008453
 * [2] https://trac.torproject.org/projects/tor/ticket/21675
 * [3] https://trac.torproject.org/projects/tor/ticket/22127
 * [4] https://html.spec.whatwg.org/multipage/workers.html#navigator.hardwareconcurrency ***/
   // user_pref("dom.maxHardwareConcurrency", 2);

Meanwhile ... https://bugzilla.mozilla.org/show_bug.cgi?id=1333933 which was going to enforce pref values for privacy.resistFingerprinting, has been dropped effectively in favor of enforcing it in code (see the first code snippet above re ticket https://bugzilla.mozilla.org/show_bug.cgi?id=1360039). This ticket listed dom.maxHardwareConcurrency as one of the prefs to flip.

So .. all in all, if anyone has 55, enable privacy.resistFingerprinting, make sure dom.maxHardwareConcurrency is at default, enable e10s .. set process numbers if needed ... and test a) spoofed value = 2 b) cores/processes used is not affected

pyllyukko added a commit that referenced this issue Jun 28, 2017
@pyllyukko
Add link relating to privacy.resistFingerprinting
d1044b1 
From
#181 (comment)
@BananaMangoFestival
Copy link
Author

Since latest versions of Tor Browser, the default value of dom.maxHardwareConcurrency is set to 1, maybe now we should do so for Firefox?

@pyllyukko
Copy link
Owner

Since latest versions of Tor Browser, the default value of dom.maxHardwareConcurrency is set to 1, maybe now we should do so for Firefox?

Thanks for bumping. It's done now. Commit 2a5aa10 also relates 😝

@Thorin-Oakenpants
Copy link

This should IMO be 2, not 1. This is not the Tor browser, it is Firefox and you cannot hide that. The best metric is 2 (most common) and will have less impact on FF itself. RFP also uses 2.

pyllyukko added a commit that referenced this issue Oct 7, 2017
@pyllyukko
dom.maxHardwareConcurrency -> 2
f625e4a 
As suggested in
#181 (comment)
@pyllyukko
Copy link
Owner

The best metric is 2 (most common) and will have less impact on FF itself. RFP also uses 2.

Fixed in f625e4a. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
fingerprinting needs more info
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@pyllyukko @Thorin-Oakenpants @BananaMangoFestival @Atavic