{{Header}}
{{Title|title=
Network, Browser and Website Fingerprint
}}
{{#seo:
|description=About {{project_name_long}} Network, Bridge/Guard, Internet Service Provider (ISP) Fingerprint and Website Traffic Fingerprinting.
|image=Eye-319668-640.jpg
}}
[[image:Eye-319668-640.jpg|thumb]]
{{intro|
About {{project_name_short}} Network, Bridge/Guard, Internet Service Provider (ISP) Fingerprint and Website Traffic Fingerprinting.
}}
<!--
Copyright:

   {{project_name_short}} Anonymity wiki page Copyright (C) Amnesia <amnesia at boum dot org>
   {{project_name_short}} Anonymity wiki page Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation; either version 3 of the License, or
   (at your option) any later version.

   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.

   You should have received a copy of the GNU General Public License
   along with this program; if not, write to:

    Free Software Foundation, Inc.
    51 Franklin St, Fifth Floor
    Boston, MA 02110-1301, USA.

On Debian GNU/Linux systems, the complete text of the GNU General Public
License can be found in the /usr/share/common-licenses' directory.

The complete text of the GNU General Public License can also be found online on gnu.org <https://www.gnu.org/licenses/gpl.html>, in {{project_name_short}} virtual machine images in /usr/share/common-licenses/GPL-3 file or on Github <https://github.com/{{project_name_short}}/derivative-maker/blob/master/GPLv3>.
-&rarr;
<!--
The {{project_name_short}} Fingerprint wiki page is forked from the Tails Fingerprint page, from this exact source <https://git.immerda.ch/?p=amnesia.git;a=blob;f=wiki/src/doc/about/fingerprint.mdwn;h=24d279245503ec0014b941c82266b6127fe0a1dc;hb=b10ce9f3622437faa7fe2b0b52c83a4fe018fc4a>.
-->
= Introduction =

In this chapter, the term ''fingerprint'' refers to the specific way {{project_name_short}} behaves on the Internet. Those specificities could be used to determine whether a particular user is running {{project_name_short}} or not.

As explained on the [[Warning]] page, the default {{project_name_short}} configuration does not hide Tor use from network observers. However, the {{project_name_short}} design attempts to make {{project_name_short}} users indistinguishable from the rest of the Tor population, particularly Tor Browser (TB) <ref name="tbb" /> users. If {{project_name_short}} and TBB <ref name=tbb>TBB stands for [https://www.torproject.org/download/ Tor Browser Bundle]. It is included in {{project_name_short}}, see [[Tor Browser]].</ref> users have distinct fingerprints, then this information significantly degrades anonymity because the {{project_name_short}} user base is far smaller than the broader Tor population. <ref>Certainly less than 50,000 users, although [https://phabricator.whonix.org/T689 an exact figure] is yet to be published.</ref>

This section briefly addresses possible {{project_name_short}} fingerprinting issues and how adversaries might use this information to verify {{project_name_short}} is in use.

{{Anchor|web fingerprint}}

{{Anchor|web_fingerprint}}

= Fingerprinting Information =

{{mbox
| type      = notice
| image   = [[File:Ambox_notice.png|40px|alt=Info]]
| text    = '''Tip:''' A unique fingerprint makes the user [[Tips_on_Remaining_Anonymous#Study:_Anonymity_and_Pseudonymity_are_not_the_same|pseudonymous rather than anonymous]].
}}

Various types of information can be leaked about the user's browser, (host) operating system and hardware depending on the external party in question.

== Entry Guards or Bridges ==

As noted in the [[Tor_Entry_Guards#Guard_Fingerprinting|Guard Fingerprinting]] chapter, using persistent Tor guards or bridges can threaten anonymity under certain circumstances:

<blockquote>
While natural guard rotation is recommended, there are some corner cases in which an adversary could fingerprint the entry guards and de-anonymize a user. For instance:
* The same entry guards are used across various physical locations and access points.
* The same entry guards are used after permanently moving to a different physical location.
</blockquote>

For example, if an adversary monitoring network activity observes a user connecting from multiple physical locations with persistent guards/bridges, then it can be reasonably assumed that all connections stem from the same person. Mitigating this risk requires techniques like using new Tor entry guards or configuring alternate bridges for different places.

Nick Mathewson, co-founder of The Tor Project suggests additional precautions when moving networks: <ref>[https://lists.torproject.org/pipermail/tor-dev/2013-September/005424.html tor-dev: entry guards and linkability]</ref>

* [[MAC_Address|Spoof the MAC address]] with randomized values on each move.
* Absolutely prevent non-Tor connections.
* Ensure a unique set of Tor entry guards (bridges) is utilized for each network you connect from. <ref>Note: this is not a recommendation for non-persistent guards because a hostile DHCP server might provide new IPs until a hostile guard is chosen.</ref>
* Minimize the threat of stored Tor state files which record every network visited.

"Absolutely prevent non-Tor connections." is useful anyhow for other reasons as well, see also [[Tips_on_Remaining_Anonymous#Only_Connect_to_a_Server_Either_Anonymously_Or_Non-anonymously|Do Not Connect to a Server Anonymously and Non-anonymously at the Same Time]]. <ref>
Qubes feature request: [https://github.com/QubesOS/qubes-issues/issues/7586 document how to route all traffic over Tor / how to disable Qubes default clearnet traffic]
</ref>

{{Anchor|ISP fingerprint}}

== ISP or Local Network Administrators ==

'''Table:''' ''Fingerprinting Domains''

{| class="wikitable"
|-
! scope="col"| '''Domain'''
! scope="col"| '''Description'''
|-

! scope="row"| Network Stack Hardening
| {{project_name_short}} has implemented various [https://github.com/Kicksecure/security-misc security hardening] measures like disabling TCP timestamps, ICMP redirections, firewalling invalid packages, and more. Unfortunately these measures can increase the risk of ISP or Local Network fingerprinting. Despite this, security hardening has been prioritized.
|-

! scope="row"| Random ISN Generation
| {{project_name_short}} prevents [https://dl.acm.org/doi/10.1145/1180405.1180410 de-anonymization of Tor onion services] through [https://github.com/Kicksecure/tirdad Tirdad kernel module for random ISN generation]. De-anonymization resistance unfortunately reduces ISP or Local Network fingerprinting resistance. Despite this, resistance against de-anonymization has been prioritized.
|-

! scope="row"| Tor Enforcement
|
{{project_name_short}} solely generates Tor activity on the network. All traffic from both the {{project_name_workstation_long}} (<code>{{project_name_workstation_template}}</code>) and {{project_name_gateway_long}} (<code>{{project_name_gateway_template}}</code>) such as TBB <ref name="tbb" />, updates, and sdwdate pass through Tor. Establishing an online connection is the task of the host, so the host <ref>In case of Default/Download version, it is the host's task to establish an online connection. In the case of [[Dev/Build_Documentation/Physical_Isolation|Physical Isolation]], it is the gateway's task to establish an online connection. </ref> is most likely using DHCP to obtain a local IP address. <br />

In contrast, usually TBB <ref name="tbb" /> users have additional network activity outside of Tor, either from another web browser or other applications. This means the proportion or volume of Tor activity might be feasible identifiers to predict whether a user is running {{project_name_short}} or the TBB <ref name="tbb" />. It is probably harder for the ISP to determine whether a single user is solely generating Tor traffic (and potentially using {{project_name_short}}) if:

* The Internet connection is shared with other users that do not run {{project_name_short}}.
* A browser is also used on the host. <ref>This comes with the attendant risk of the user confusing one browser with another.</ref>
|-

! scope="row"| Tor Entry Guards
| {{project_name_short}} uses an unmodified version of Tor, <ref>[[Tor#Does_{{project_name_short}}_Modify_Tor? | {{project_name_short}} uses an unmodified version of Tor]]</ref> so [[Tor_Entry_Guards|entry guards]] are used as the default mechanism to connect to the Tor network. <ref>https://support.torproject.org/#about_entry-guards</ref> Consequently, a Tor user will maintain the same relay as the first hop for an extended period, <ref>Typically the entry guards are rotated after a few months.</ref> which is a security feature.

One addition which is unique to {{project_name_short}} is its Tor configuration <ref>https://github.com/{{project_name_short}}/anon-gw-anonymizer-config</ref> for the <code>Stream Isolation</code><ref>[[Stream Isolation]]</ref> security feature.
|-

! scope="row"| Time Synchronization
| When {{project_name_short}} is started, the system clock is synchronized to make sure it slightly differs from the host clock via <code>[[sdwdate]]</code>. <code>[https://www.kicksecure.com/wiki/Systemcheck systemcheck]</code> also issues some network traffic to check for updates and news, which all passes through different circuits. This behavior might be specific to {{project_name_short}}. <ref>It is unknown if an ISP can detect whether a user has many different Tor circuits open. On the other hand, Tor seems to only open X entry guards and maintain them for a period, thus not opening as many entry guards as streams.</ref>
|-

! scope="row"| [[Fingerprint#Website Traffic Fingerprinting|Website Traffic Fingerprinting]]
| Website traffic fingerprinting is also an open Tor research question, which is unspecific to {{project_name_short}}. <ref>See [https://2019.www.torproject.org/projects/torbrowser/design/ Tor Browser Design] for further exploration of this issue.</ref> A related and unresearched issue is whether fingerprinting risks also apply to other traffic, such as <code>apt</code> traffic.
|-

! scope="row"| [[Whonix-Host]]
| Once Whonix-Host is available it will exclusively generate Tor traffic in the default configuration. <ref>
[https://forums.whonix.org/t/should-whonix-host-be-fully-torified-by-default/7404 Should {{project_name_short}} host be fully torified by default?]
</ref> This is very different from other operating systems, for example a Microsoft Windows host running Tor Browser.
|-

|}

In conclusion, the ability of the ISP or local network administrator to distinctly identify users who utilize Tor Browser Bundle, {{project_name_short}}, Tails, a custom transparent Tor proxy or similar project, depends on how differently a system is configured. Anonymity/security/privacy-focused operating systems will inevitably differ from other Tor users using popular operating systems. For example, somebody using Tails or {{project_name_short}} will have a different network fingerprint than a Microsoft Windows user utilizing Tor Browser Bundle since that will be paired with standard clearnet traffic. This is a necessary tradeoff to advance the state of technological privacy relative to the status quo.

Improved fingerprinting resistance in the near term is unlikely. This would require choosing and emulating the most popular host operating system in combination with the most widespread method of accessing Tor, which is probably Tor Browser on Microsoft Windows. Without running this setup, it is infeasible the Microsoft Windows network fingerprint could be sufficiently emulated in order to fool an ISP or local network observer. Putting aside the many [[Windows Hosts|reasons to not use Windows]], even after lots of effort it could not be proven effective.

A related topic is the potential to [[Hide_Tor_from_your_Internet_Service_Provider|Hide Tor use from the Internet Service Provider]]. It has been concluded it is possible to circumvent censorship, but hiding Tor is impractical. This is especially true with respect to global passive adversaries who can record and store all relevant traffic.

<blockquote>It is impossible to hide Tor use from the <u>I</u>nternet <u>S</u>ervice <u>P</u>rovider (ISP). It has been concluded this goal is difficult beyond practicality.</blockquote>

== Visited Websites ==

Destination websites can retrieve [[Data_Collection_Techniques|a lot of information]] about a user's browser and system, while [[Tor_Browser/Advanced_Users#Adversary_Attack_Capabilities|advanced adversaries]] have even greater capabilities. <ref>Information that is leaked depends on the browser in use, JavaScript settings, Tor Browser's security slider settings, whether it is a malicious attack or not, and other factors.</ref> This information can include:
<div style="column-count:3;-moz-column-count:3;-webkit-column-count:3">
* the browser name and version
* CSS media queries:
** window dimensions
** desktop size
** widget size
** display type
** DPI
* a list of available extensions
* timezone <ref>Via the date object.</ref>
* available fonts
* user agent
* video card in use <ref>Via WebGL.</ref>
* CPU and interpreter speed
* browser history <ref>For example, using CSS and JavaScript to perform history disclosure attacks.</ref>
* via exploited plugins:
** leak the non-Tor IP address
** interface addresses and other machine information
** list all plugins to fingerprint the user
** retrieve unique plugin identifiers
* read / store identifiers related to HTTP auth, DOM storage, cached scripts, client certificates and TLS session IDs
* browser cache
* giving the user a unique favicon <ref> Note that in the Tor Browser, favicons are wiped after pressing the 'New Identity' button or exiting the current session. The Tor Browser cannot protect you from this method while you are in a session though.

This method is usually only used to detect if a user of the site that previously browsed the site at a different connection is accessing the site from the same browser regardless if they try to obfuscate where they are connecting from. There are no recorded attacks of this being used against Whonix or regular users in the wild, but practical implementations do exist.
</ref> <ref>
An example of an implementation is the supercookie project at https://github.com/jonasstrehle/supercookie
</ref>
</div>
To make it difficult to distinguish {{project_name_short}} and TBB <ref name="tbb" /> users, TBB <ref name="tbb" /> is included on the platform. Therefore, {{project_name_short}} should provide the same information as TBB <ref name="tbb" /> in order to generate very similar fingerprints.

= Website Traffic Fingerprinting =

"Website fingerprinting" is an attack where the adversary observes a user's encrypted data traffic, and uses traffic timing and quantity to guess what website is being visited. In order to find potential target matches, the adversary utilizes a database of web pages -- which are regularly downloaded in order to record their traffic timing and quantity characteristics -- for comparison against encrypted traffic. This attack is carried out by adversaries external to the Tor network who observe traffic between a user and the Tor relay or bridge. <ref>Quote research paper by University of Waterloo, [https://uwspace.uwaterloo.ca/handle/10012/10123 Website Fingerprinting: Attacks and Defenses]:

<blockquote>
Website fingerprinting attacks allow a local, passive eavesdropper to determine a client's web activity by leveraging features from her packet sequence. These attacks break the privacy expected by users of privacy technologies, including low-latency anonymity networks such as proxies, VPNs, or Tor. As a discipline, website fingerprinting is an application of machine learning techniques to the diverse field of privacy. To perform a website fingerprinting attack, the eavesdropping attacker passively records the time, direction, and size of the client's packets. Then, he uses a machine learning algorithm to classify the packet sequence so as to determine the web page it came from.
</blockquote></ref>
<ref>https://forums.whonix.org/t/new-low-cost-traffic-analysis-attacks-and-mitigations/8708 forum discussion</ref> The observer will not know the exact contents of the page (such as user names, passwords, etc.), but they can know with reasonable certainty that a specific website was visited, such as  <code>google.com</code>.

This [https://blog.torproject.org/new-low-cost-traffic-analysis-attacks-mitigations Tor Project blog post] suggests this attack on clearnet sites visited through Tor is impractical. The reason is the sheer variety of traffic and the vast number of pages visited through Tor results in a very high rate of false positives. <ref>https://blog.torproject.org/critique-website-traffic-fingerprinting-attacks</ref> However, the attack might be more practical against users visiting Onion services because the classifier leverages real-time ad network bidding and DNS to further narrow down the possible set of pages accessed to the Onion-space and further still, picking out which one. Onion service padding is deployed to mitigate this threat.

This attack should not be confused with end-to-end correlation attacks performed by malicious Entry guards set up by Tor-relay level adversaries.

= {{project_name_short}} Fingerprint Comparison =

* [[Comparison with Others#Fingerprint|Fingerprint: {{project_name_short}} vs other anonymity systems or tools]]

= Further Reading =

* [[Protocol-Leak-Protection and Fingerprinting-Protection|Protocol Leak Protection and Fingerprinting Protection]]

= See Also =
* [[VM Fingerprinting]]
* [[Hide_Tor_from_your_Internet_Service_Provider|Hide Tor use from the Internet Service Provider]]

= References =
{{reflist|close=1}}

= License =
{{License_Amnesia|{{FULLPAGENAME}}}}

{{Footer}}

[[Category:Documentation]] [[Category:Design]]