Opened 9 months ago

Last modified 9 months ago

#31997 new defect

Investigate possible fingerprinting means via the Streams API

Reported by: gk Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-fingerprinting, ff68-esr
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


The Streams API landed in Firefox 65 allowing JavaScript to process raw data bit-by-bit as soon as it is available on the client side.

The fingerprinting concerns that immediately jump out here are triggered by

There are more advantages too — you can detect when streams start or end, chain streams together, handle errors and cancel streams as required, and react to the speed of the stream is being read at.

We need to check how fine-grained the timers are for starting/ending streams or whether one could get fingerprinted by how fast the client side can process incoming data. There might be more.

The concerns are somewhat mitigated as the big win by combining that API with ServiceWorkers is not available to Firefox 68 ESR.

The bug where this got enabled is:

Child Tickets

Change History (2)

comment:1 Changed 9 months ago by gk

Keywords: ff68-esr added

Adding ff68-esr keyword

comment:2 Changed 9 months ago by tom

It doesn't seem like actually exposes timestamps...

I think they may be referring to noticing when events fire.

Note: See TracTickets for help on using tickets.