[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #1517 [Torbutton]: Tor Browser should provide JS with reduced time precision (was: Torbutton should randomize times from Date())
#1517: Tor Browser should provide JS with reduced time precision
-------------------------+--------------------------------------------------
Reporter: mikeperry | Owner:
Type: enhancement | Status: new
Priority: major | Milestone:
Component: Torbutton | Version:
Keywords: | Parent: #2871
Points: 16 | Actualpoints:
-------------------------+--------------------------------------------------
Changes (by mikeperry):
* points: => 16
Old description:
> To help reduce information available to fingerprinting, we should
> randomize the values returned from Date(). I've never thought this was a
> useful thing to do before, because Tor latency is high enough and
> variable enough that most machines using NTP should be well concealed
> within the noise.
>
> However, bug #1261 brings up a good point about javascript being able to
> measure the time intervals of various things (such as typing, but really
> it could be anything) to produce a fingerprint.
>
> Unfortunately, we may need Firefox support for this, unless their
> javascript engine has changed to allow hooking of the Date() object
> again.
New description:
To help reduce information available to fingerprinting, we should
randomize or truncate the values returned from Date(), event.timeStamp,
and interval timers. I've never thought this was a useful thing to do
before, because Tor latency is high enough and variable enough that most
machines using NTP should be well concealed within the noise.
However, bug #1261 brings up a good point about javascript being able to
measure the time intervals of various things (such as typing, but really
it could be anything) to produce a fingerprint.
Unfortunately, we may need Firefox support for this, unless their
javascript engine has changed to allow hooking of the Date() object again.
--
Comment:
Rough guess here. Depends on how centralized the JS interpreters
timesource is. It may be all over the place, and far from config settings
to control it. Also, some testing of youtube and various HTML5 demo sites
should be performed, especially those involving rendered graphics and
synchronized animations.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/1517#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs