Skip to content

2025 Browser Fingerprinting Protections in Tor Mullvad Browser

Jump to bottom Edit New page
Manuel Rego edited this page Jun 12, 2025 · 1 revision

WEH 2025 - Browser Fingerprinting Protections in Tor+Mullvad Browser

State linkability: avoidable by cleaning state and by using first-party isolation.

However, there's linkability through fingerprinting, which is harder to deal with.

There are several ideas:

  • metric normalization, for example:
    • all users in the same timezone
    • letterboxing (to minimize the number of detected resolutions/inner window size, and a certain normalized default)
    • limit fonts to a certain standardized lists, and bundle them when possible (e.g., on Linux)
    • more
  • randomization
    • the IP address when using the Tor network
    • canvases
  • disruption
    • completely disable geolocation and other APIs
    • prompt for canvas reading

Some metrics can't be hidden: for example, spoofing the OS in the user agent string is useless, because hiding the actual platform is extremely hard (e.g., because of fonts, and more).

Metric plausibility

Normalization might cause users to stand out in the crowds.

So, the normalized values need to be updated over value to appear realistic.

E.g., almost all computers have more than 2 cores nowadays.

Another example: RFP used to report UTC, but this triggered a lot of anti-bot protections. Therefore, we switched to Reykjavik instead.

Challenges

  • web compatibility is one of the biggest problem
  • accessibility
  • backlogs of stuff to audit

Future

  • Cross-browser fingerprinting resistance
  • Fingerprinting protection taken more into accoun when creating new standards
  • It's an arm-race: protections need to be kept updated

Questions

Q: How to deal with accepted-languages so that it isn't fingerprintable? A: It's very hard, i18n/l10n in particular. We tried to normalize also on that, but sometimes too hard (e.g., pt-PT vs pt-BR). We need more users on those buckets.

Q: Being on the W3C Technical Architecture Group, I see a lot of privacy-specs that try to recreate the functionality of 3PCookies, are Tor involved in any standards that address fingerprinting/web privacy? A: Kind of, we're involved in Web App Sec and are considering becoming W3C members

Q: Stripping all locales except en-US makes a lot of people unhappy, how do you deal with it? A: Currently we don't 😒. It's something we have room to improve. Firefox might add a en-ZZ locale (English, unknown region, see here).

Q: How do you measure success? A: Currently mostly from a theretical point of view. We don't have telemetry we can use to answer this with actual data.

Q: (something about randomization vs. normalization) A:

Q: Should new standards think about "fingerprinting profiles" to accomodate for the various needs of the different user agents? E.g., recommend to ship only a few locales for privacy-concerned agents, and a lot of locales for UX-centered user agents. A: This example with localization is a thing that is extremely hard to get around. W3C has a privacy group that is starting to do horizontal reviews. It's a very recent thing that is still getting started.

Q: Would working in standardization be a smarter way to use the time, rather than auditing patches? A: We don't go through each patch, but we try to filter to catch the important stuff. Anyway, we've had bad luck so far at making our voice heard.

Q: Is there a way to ask TPO a position about the standards? Or to warn about an upcoming functionality/standard that could be harmful for some users? A: Please send them to [email protected], she will forward to the relevant people (even though we should find another way). Also we [email protected].

https://www.webengineshackfest.org/

Add a custom sidebar
Clone this wiki locally