Opened 4 years ago

Last modified 16 months ago

#11333 new task

Audit requestAnimationFrame() and possible timing attacks

Reported by: gk Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-firefox-patch, tbb-fingerprinting-time-highres
Cc: dcf@…, adrelanos@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by gk)

We should investigate how effective timing attacks are against Tor Browser if we time the rendering process with requestAnimationFrame().

Some examples to study are mentioned in:

https://dl.acm.org/citation.cfm?id=2516712
http://www.contextis.com/files/Browser_Timing_Attacks.pdf

Ideally, the audit would contain suggestions on how to mitigate possible issues.

Child Tickets

Change History (14)

comment:1 Changed 4 years ago by gk

The SVG filter attack got fixed in Fx22 (https://bugzilla.mozilla.org/show_bug.cgi?id=711043) and testing the PoC for the link repainting attack to extract browsing history (https://bugzilla.mozilla.org/show_bug.cgi?id=884270) indicates it does not work against TBB based on ESR24. But we should look closer at this one and other attacks remain to get investigated.

I expect more timing attacks with this API are cropping up in the near/middle future, so me might start thinking about avoiding all of them with patching requestAnimationFrame(), e.g. in a way to make it less precise.

comment:2 Changed 4 years ago by gk

Description: modified (diff)

comment:3 in reply to:  1 Changed 4 years ago by gk

Replying to gk:

I expect more timing attacks with this API are cropping up in the near/middle future

Looks like another issue regarding SVG filters was found and fixed in the recent ESR update: https://www.mozilla.org/security/announce/2014/mfsa2014-28.html

comment:4 Changed 3 years ago by erinn

Keywords: tbb-firefox-patch added

comment:5 Changed 3 years ago by erinn

Component: Firefox Patch IssuesTor Browser
Owner: changed from mikeperry to tbb-team

comment:7 Changed 3 years ago by dcf

Cc: dcf@… added

comment:8 in reply to:  1 Changed 3 years ago by gk

Replying to gk:

The SVG filter attack got fixed in Fx22 (https://bugzilla.mozilla.org/show_bug.cgi?id=711043) and testing the PoC for the link repainting attack to extract browsing history (https://bugzilla.mozilla.org/show_bug.cgi?id=884270) indicates it does not work against TBB based on ESR24.

Well, that was wrong the PoC works both against Tor Browser based on ESR24 and ESR31 provided one is leaving private browsing mode.

comment:9 Changed 3 years ago by mikeperry

Keywords: tbb-fingerprinting added

comment:10 Changed 3 years ago by mikeperry

Keywords: tbb-fingerprinting-time-highres added; tbb-fingerprinting removed

comment:11 Changed 3 years ago by mikeperry

Parent ID: #3059

comment:12 Changed 3 years ago by proper

Cc: adrelanos@… added

comment:14 Changed 16 months ago by gk

Severity: Normal

See as well #16110 and the Trusted Browsers for Uncertain Times (linked there).

Note: See TracTickets for help on using tickets.