[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #12999 [Tor Browser]: Use one clock skew per URL bar domain

Subject: Re: [tor-bugs] #12999 [Tor Browser]: Use one clock skew per URL bar domain
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Thu, 29 Jan 2015 04:52:23 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 28 Jan 2015 23:52:31 -0500
In-reply-to: <055.5a95b5edee3825436c93add5b536b2a5@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <055.5a95b5edee3825436c93add5b536b2a5@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#12999: Use one clock skew per URL bar domain
--------------------------------+------------------------------------------
     Reporter:                  |      Owner:  tbb-team
  arthuredelstein               |     Status:  new
         Type:  enhancement     |  Milestone:
     Priority:  normal          |    Version:
    Component:  Tor Browser     |   Keywords:  tbb-fingerprinting-time-skew
   Resolution:                  |  Parent ID:
Actual Points:                  |
       Points:                  |
--------------------------------+------------------------------------------

Comment (by arthuredelstein):

 Replying to [comment:4 mikeperry]:
 > One thing that Arthur and I discussed today was adding some kind of
 RELAY cell command to obtain the current time from the exit. In
 retrospect, this also seems bad, because the exit could use this to lie to
 you about the current time to get you to accept an expired or invalid SSL
 cert, or to generally cause havock on your notion of time for a webapp.

 Good point. I guess there needs to be a way to detect lying, perhaps by
 comparing to a time consensus. Though I'm not sure SSL cert validation
 needs to be using the exit node clock in any case.

 > Another option is to periodically run tlsdate-style time lookups using a
 helper app independent from Tor, and use that for time. I think this may
 actually be the sanest approach.

 I agree this would be a simpler approach. My concern with it is that the
 global system time on the client might have a skew that could be used to
 link identities across different circuits. The worst case would be a
 hostile time server. I also worry that an exit node imposing an arbitrary
 latency to timing messages from the time server could result in a
 detectable clock skew in the client.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12999#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Prev by Author: [tor-bugs] #14459 [- Select a component]: The most group use the injections without
Next by Author: [tor-bugs] #14460 [- Select a component]: Losing Weight Through Weight Loss Pills
Previous by thread: Re: [tor-bugs] #12999 [Tor Browser]: Use one clock skew per URL bar domain
Next by thread: Re: [tor-bugs] #12999 [Tor Browser]: Use one clock skew per URL bar domain
Index(es):
- Author
- Thread