Opened 6 weeks ago

Last modified 6 weeks ago

#31997 new defect

Investigate possible fingerprinting means via the Streams API

Reported by: gk Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-fingerprinting, ff68-esr
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

The Streams API landed in Firefox 65 allowing JavaScript to process raw data bit-by-bit as soon as it is available on the client side.

The fingerprinting concerns that immediately jump out here are triggered by

There are more advantages too — you can detect when streams start or end, chain streams together, handle errors and cancel streams as required, and react to the speed of the stream is being read at.

We need to check how fine-grained the timers are for starting/ending streams or whether one could get fingerprinted by how fast the client side can process incoming data. There might be more.

The concerns are somewhat mitigated as the big win by combining that API with ServiceWorkers is not available to Firefox 68 ESR.

The bug where this got enabled is: https://bugzilla.mozilla.org/show_bug.cgi?id=1505122.

Child Tickets

Change History (2)

comment:1 Changed 6 weeks ago by gk

Keywords: ff68-esr added

Adding ff68-esr keyword

comment:2 Changed 6 weeks ago by tom

It doesn't seem like https://streams.spec.whatwg.org/ actually exposes timestamps...

I think they may be referring to noticing when events fire.

Note: See TracTickets for help on using tickets.