Re: Firefox sends your uptime

To: or-talk@xxxxxxxxxxxxx

Subject: Re: Firefox sends your uptime

From: defcon <defconoii@xxxxxxxxx>

Date: Sat, 19 Apr 2008 23:08:09 -0700

Delivered-to: archiver@xxxxxxxx

Delivered-to: or-talk-outgoing@xxxxxxxx

Delivered-to: or-talk@xxxxxxxx

Delivery-date: Sun, 20 Apr 2008 02:08:15 -0400

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; bh=pMZBvuejI+mZn/Jq0jcMUsW0KfaqlSP0EE8GPx2XU0w=; b=R3Iu3EOJcRMtK9X7YypMD3faunRieROoBpfnpP3NYiAm7QJBudx64DN/Hi2x96VSOFoFTftGZSqUyS7TYFKUlK7Kv1A6vuBheOaoAJCicLJpE71rtK3ce7WeagtkZVQkraZS5DL3JGOCdK75B/xI17nS/6HQBuPcBo3ZFw9QzPA=

Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=B1KljFyLaUK1sXZXTtvu2JcjwiCB4QdAEUcS1D1oir65Q1JoSPj4mqAMpVwhCp9r+Fom7sO6PBxNiQ/QMZlM9mwKOx8Of+fXYUz/GEZ/qRBE1anILhfHuThFPQuHh7zAlxbM9rPw6K6ZV6tvmQUJTZOzXYXhXeqcs4JlfF0oYvU=

In-reply-to: <e692861c0804192133x28169402gc9c165ff5414c63f@xxxxxxxxxxxxxx>

References: <47F74DF9.6060909@xxxxxxxxxxxx> <20080420040523.GA23020@xxxxxxxxxx> <e692861c0804192133x28169402gc9c165ff5414c63f@xxxxxxxxxxxxxx>

Reply-to: or-talk@xxxxxxxxxxxxx

Sender: owner-or-talk@xxxxxxxxxxxxx

Here

On Sat, Apr 19, 2008 at 9:33 PM, Gregory Maxwell <gmaxwell@xxxxxxxxx> wrote:

On Sun, Apr 20, 2008 at 12:05 AM, Mike Perry <mikeperry@xxxxxxxxxx> wrote:
> Thus spake .FUF (fuf@xxxxxxxxxxxx):

> Incidentally, this was filed as Firefox Bug
> https://bugzilla.mozilla.org/show_bug.cgi?id=405652. They have a fix
> in the 3.0 branch. I requested backport into FF2.0.

It looks like the change just makes it send the current time. While
that should be an improvement, It's not at all clear to me that the
privacy issues of this are fixed.

Many many users do not have clocks which are accurate enough that
second level quantization hides their skew. I've successfully used
remote client time to identify trouble making users on IRC (though on
IRC I had the benefit of the returned time being local time rather
than GMT).

If the world didn't end with the client sending uptime .. could
perhaps it send some other value?