[tbb-bugs] #31997 [Applications/Tor Browser]: Investigate possible fingerprinting means via the Streams API
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Oct 8 11:26:30 UTC 2019
#31997: Investigate possible fingerprinting means via the Streams API
------------------------------------------+--------------------------------
Reporter: gk | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Keywords: tbb-fingerprinting
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
------------------------------------------+--------------------------------
The [https://developer.mozilla.org/en-US/docs/Web/API/Streams_API Streams
API] landed in Firefox 65 allowing JavaScript to process raw data bit-by-
bit as soon as it is available on the client side.
The fingerprinting concerns that immediately jump out here are triggered
by
{{{
There are more advantages too — you can detect when streams start or end,
chain streams together, handle errors and cancel streams as required, and
react to the speed of the stream is being read at.
}}}
We need to check how fine-grained the timers are for starting/ending
streams or whether one could get fingerprinted by how fast the client side
can process incoming data. There might be more.
The concerns are somewhat mitigated as the big win by combining that API
with ServiceWorkers is not available to Firefox 68 ESR.
The bug where this got enabled is:
https://bugzilla.mozilla.org/show_bug.cgi?id=1505122.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31997>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list