Opened 7 years ago

Last modified 2 years ago

#6217 new defect

Mozilla updates queries happen at regular intervals

Reported by: cypherpunks Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Major Keywords: tbb-fingerprinting
Cc: gk, mcs, brade Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

This was reported to Mozilla but I thought it would probably not get considered properly unless reported here:

https://bugzilla.mozilla.org/show_bug.cgi?id=755284

Fingerprintable information in update behavior

If update checks are enabled, Firefox seems to perform them at exactly the interval specified in the app.update.interval preference. (Tested with a 120-second interval and leaving the browser running.) This leads to a minor potential way of fingerprinting users on anonymizing networks like Tor because output relays can observe an update check occurring at a precise second corresponding to a particular user.

I realize this is a minor issue and difficult to exploit, but the solution is also appropriately minor. I assume it will be enough to simply randomize the scheduled time of next update (or the time stored in the lastUpdateTime settings, whichever) by up to 5% of the update interval. This fix will still preserve the user-set meaning of the app.update.interval setting, on average.

Child Tickets

Change History (11)

comment:1 Changed 7 years ago by gk

Cc: g.koppen@… added

comment:2 Changed 7 years ago by Shondoit

The Tor Browser Bundle has updating disabled by default.
Because TBB contains a patched version of FF, we don't want to update to a non-patched stock version of FF.

The Update preference does not seem to be completely locked, but that's a different issue.

comment:3 Changed 6 years ago by mikeperry

Keywords: tbb-linkability added
Summary: Fingerprintable information in browser update behaviorMozilla updates queries happen at regular intervals

comment:4 Changed 5 years ago by erinn

Component: Firefox Patch IssuesTor Browser
Keywords: tbb-firefox-patch added
Owner: changed from mikeperry to tbb-team

comment:5 Changed 4 years ago by bugzilla

Severity: Normal

Did Tor Browser Updater cope with this?

comment:6 in reply to:  5 Changed 4 years ago by mcs

Replying to bugzilla:

Did Tor Browser Updater cope with this?

No, this is not an issue we have addressed so far with our patches to Mozilla's updater code.
I wonder how much randomness we would need to introduce in order to make the update ping time useless (or nearly so) for fingerprinting.

comment:7 Changed 4 years ago by cypherpunks

Priority: LowMedium
Severity: NormalMajor

Besides the browser update queries to torproject.org and queries to blocklist.addons.mozilla.org, there are addon update queries to versioncheck-bg.addons.mozilla.org and www.eff.org (presumably for https everywhere).

Those queries use the same circuit with socks user "--unknown--" and same socks password. The versioncheck queries use separate streams with a potentially unique transmission size for each. E.g.:

Stream 1: received: 4135 sent: 1057
Stream 2: received: 4136 sent: 1055
Stream 3: received: 4133 sent: 1053
Stream 4: received: 4125 sent: 1054

Users that have a few extra addons installed can be uniquely identified.

TBB should use separate circuits.

comment:8 Changed 4 years ago by bugzilla

Regular update checks are equal to any regular self-updating webpage. Is this really fingerprintable? AFAIK Tor basic design has built-in defenses against this type of attack.
Pinging different sites in one circuit is much more worse.

comment:9 in reply to:  8 ; Changed 4 years ago by mcs

Cc: mcs brade added

Replying to bugzilla:

Regular update checks are equal to any regular self-updating webpage. Is this really fingerprintable? AFAIK Tor basic design has built-in defenses against this type of attack.

Can you expand on that last statement? While introducing some artificial jitter and randomness to the Tor Browser ping intervals is probably not a high priority, it is something we will want to do.

comment:10 in reply to:  9 Changed 4 years ago by bugzilla

Replying to mcs:

Can you expand on that last statement? While introducing some artificial jitter and randomness to the Tor Browser ping intervals is probably not a high priority, it is something we will want to do.

It's better to ask nickm & teor - they discussed in their tickets how to prevent linkability.

comment:11 Changed 2 years ago by gk

Cc: gk added; g.koppen@… removed
Keywords: tbb-fingerprinting added; tbb-linkability tbb-firefox-patch removed
Note: See TracTickets for help on using tickets.