Opened 6 years ago

Closed 2 years ago

#3059 closed defect (fixed)

Find some way to deal with time-based fingerprints

Reported by: mikeperry Owned by: tbb-team
Priority: High Milestone: TorBrowserBundle 2.3.x-stable
Component: Applications/Tor Browser Version:
Severity: Keywords: tbb-fingerprinting, tbb-firefox-patch, TorBrowserTeam201501
Cc: gk, lunar@…, StrangeCharm, adrelanos@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by mikeperry)

We have a few potential solutions to time-based fingerprinting attacks, some based in Torbutton, some based as patches to Tor Browser. This bug is the parent for all of them.

Ticket Component Owner Summary Priority Points
#2934 Applications/Tor Browser tbb-team Experiment with JSHooks for Date() and Event.timeStamp High 1
#6204 TorBrowserButton mikeperry Disable navigation timing High
#8751 Applications/Tor Browser tbb-team do something about TLS HELLO gmt_unix_time High
#2876 Firefox Patch Issues mikeperry Enable arbitrary delays on keypress event delivery in TorBrowser Medium


Child Tickets

TicketStatusOwnerSummaryComponent
#2876closedmikeperryEnable arbitrary delays on keypress event delivery in TorBrowserFirefox Patch Issues
#2934closedtbb-teamExperiment with JSHooks for Date() and Event.timeStampApplications/Tor Browser
#6204closedmikeperryDisable navigation timingTorBrowserButton
#8751closedtbb-teamdo something about TLS HELLO gmt_unix_timeApplications/Tor Browser

Change History (15)

comment:1 Changed 6 years ago by mikeperry

Description: modified (diff)

comment:2 Changed 6 years ago by mikeperry

Parent ID: #2871

comment:3 Changed 6 years ago by gk

Cc: g.koppen@… added

comment:4 Changed 6 years ago by lunar

Cc: lunar@… added

comment:5 Changed 6 years ago by mikeperry

Cc: StrangeCharm added

comment:6 Changed 6 years ago by mikeperry

Milestone: TorBrowserBundle 2.3.x-stable

comment:7 Changed 5 years ago by mikeperry

Keywords: tbb-fingerprinting added

comment:8 Changed 4 years ago by mikeperry

Parent ID: #2871

comment:9 Changed 4 years ago by proper

Cc: adrelanos@… added

comment:10 Changed 3 years ago by gk

Cc: gk added; g.koppen@… removed

comment:11 Changed 3 years ago by erinn

Keywords: tbb-firefox-patch added

comment:12 Changed 3 years ago by erinn

Component: Firefox Patch IssuesTor Browser
Owner: changed from mikeperry to tbb-team

comment:13 Changed 3 years ago by mikeperry

Keywords: TorBrowserTeam201501 added
Resolution: fixed
Status: newclosed

Ok, so I think we finally have some semblance of direction here. We basically have two classes of time-based fingerprints:

  1. Fingerprints that are due to high resolution timing information (such as keystroke fingerprinting, performance fingerprinting, and various side channel attacks). These tickets are now tagged with tbb-fingerprinting-time-highres. https://trac.torproject.org/projects/tor/query?keywords=~tbb-fingerprinting-time-highres
  2. Fingerprints that are due to the skew/delta between your local client clock and the webserver's notion of time. These tickets are now tagged with tbb-fingerprinting-time-skew. https://trac.torproject.org/projects/tor/query?keywords=~tbb-fingerprinting-time-skew

We are going to address both classes of issues with direct browser patches, though the latter class requires a reliable, authenticated timesource that is not capable of attacking users by manipulating their time in a targeted way. This may prove tricky.

comment:14 Changed 2 years ago by source

Resolution: fixed
Status: closedreopened

There is still a major timestamp vector in the basic protocols left that needs to be addressed.

It belongs as a child ticket:
https://trac.torproject.org/projects/tor/ticket/16659

comment:15 Changed 2 years ago by mikeperry

Resolution: fixed
Status: reopenedclosed

That #16659 is neither a browser issue, nor related to this ticket.

Note: See TracTickets for help on using tickets.