Opened 6 years ago

Closed 20 months ago

#3059 closed defect (fixed)

Find some way to deal with time-based fingerprints

Reported by: mikeperry Owned by: tbb-team
Priority: High Milestone: TorBrowserBundle 2.3.x-stable
Component: Applications/Tor Browser Version:
Severity: Keywords: tbb-fingerprinting, tbb-firefox-patch, TorBrowserTeam201501
Cc: gk, lunar@…, StrangeCharm, adrelanos@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by mikeperry)

We have a few potential solutions to time-based fingerprinting attacks, some based in Torbutton, some based as patches to Tor Browser. This bug is the parent for all of them.

Ticket Component Owner Summary Priority Points
#2934 Applications/Tor Browser tbb-team Experiment with JSHooks for Date() and Event.timeStamp High 1
#6204 TorBrowserButton mikeperry Disable navigation timing High
#8751 Applications/Tor Browser tbb-team do something about TLS HELLO gmt_unix_time High
#2876 Firefox Patch Issues mikeperry Enable arbitrary delays on keypress event delivery in TorBrowser Medium


Child Tickets

TicketSummaryOwner
#2876Enable arbitrary delays on keypress event delivery in TorBrowsermikeperry
#2934Experiment with JSHooks for Date() and Event.timeStamptbb-team
#6204Disable navigation timingmikeperry
#8751do something about TLS HELLO gmt_unix_timetbb-team

Change History (15)

comment:1 Changed 6 years ago by mikeperry

  • Description modified (diff)

comment:2 Changed 6 years ago by mikeperry

  • Parent ID set to #2871

comment:3 Changed 6 years ago by gk

  • Cc g.koppen@… added

comment:4 Changed 6 years ago by lunar

  • Cc lunar@… added

comment:5 Changed 6 years ago by mikeperry

  • Cc StrangeCharm added

comment:6 Changed 6 years ago by mikeperry

  • Milestone set to TorBrowserBundle 2.3.x-stable

comment:7 Changed 5 years ago by mikeperry

  • Keywords tbb-fingerprinting added

comment:8 Changed 4 years ago by mikeperry

  • Parent ID #2871 deleted

comment:9 Changed 4 years ago by proper

  • Cc adrelanos@… added

comment:10 Changed 3 years ago by gk

  • Cc gk added; g.koppen@… removed

comment:11 Changed 3 years ago by erinn

  • Keywords tbb-firefox-patch added

comment:12 Changed 3 years ago by erinn

  • Component changed from Firefox Patch Issues to Tor Browser
  • Owner changed from mikeperry to tbb-team

comment:13 Changed 2 years ago by mikeperry

  • Keywords TorBrowserTeam201501 added
  • Resolution set to fixed
  • Status changed from new to closed

Ok, so I think we finally have some semblance of direction here. We basically have two classes of time-based fingerprints:

  1. Fingerprints that are due to high resolution timing information (such as keystroke fingerprinting, performance fingerprinting, and various side channel attacks). These tickets are now tagged with tbb-fingerprinting-time-highres. https://trac.torproject.org/projects/tor/query?keywords=~tbb-fingerprinting-time-highres
  2. Fingerprints that are due to the skew/delta between your local client clock and the webserver's notion of time. These tickets are now tagged with tbb-fingerprinting-time-skew. https://trac.torproject.org/projects/tor/query?keywords=~tbb-fingerprinting-time-skew

We are going to address both classes of issues with direct browser patches, though the latter class requires a reliable, authenticated timesource that is not capable of attacking users by manipulating their time in a targeted way. This may prove tricky.

comment:14 Changed 20 months ago by source

  • Resolution fixed deleted
  • Status changed from closed to reopened

There is still a major timestamp vector in the basic protocols left that needs to be addressed.

It belongs as a child ticket:
https://trac.torproject.org/projects/tor/ticket/16659

comment:15 Changed 20 months ago by mikeperry

  • Resolution set to fixed
  • Status changed from reopened to closed

That #16659 is neither a browser issue, nor related to this ticket.

Note: See TracTickets for help on using tickets.