[tor-bugs] #1517 [Torbutton]: Tor Browser should provide JS with reduced time precision (was: Torbutton should randomize times from Date())

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Tue Apr 19 03:08:49 UTC 2011 

#1517: Tor Browser should provide JS with reduced time precision
-------------------------+--------------------------------------------------
 Reporter:  mikeperry    |          Owner:       
     Type:  enhancement  |         Status:  new  
 Priority:  major        |      Milestone:       
Component:  Torbutton    |        Version:       
 Keywords:               |         Parent:  #2871
   Points:  16           |   Actualpoints:       
-------------------------+--------------------------------------------------
Changes (by mikeperry):

  * points:  => 16


Old description:

> To help reduce information available to fingerprinting, we should
> randomize the values returned from Date(). I've never thought this was a
> useful thing to do before, because Tor latency is high enough and
> variable enough that most machines using NTP should be well concealed
> within the noise.
>
> However, bug #1261 brings up a good point about javascript being able to
> measure the time intervals of various things (such as typing, but really
> it could be anything) to produce a fingerprint.
>
> Unfortunately, we may need Firefox support for this, unless their
> javascript engine has changed to allow hooking of the Date() object
> again.

New description:

 To help reduce information available to fingerprinting, we should
 randomize or truncate the values returned from Date(), event.timeStamp,
 and interval timers. I've never thought this was a useful thing to do
 before, because Tor latency is high enough and variable enough that most
 machines using NTP should be well concealed within the noise.

 However, bug #1261 brings up a good point about javascript being able to
 measure the time intervals of various things (such as typing, but really
 it could be anything) to produce a fingerprint.

 Unfortunately, we may need Firefox support for this, unless their
 javascript engine has changed to allow hooking of the Date() object again.

--

Comment:

 Rough guess here. Depends on how centralized the JS interpreters
 timesource is. It may be all over the place, and far from config settings
 to control it. Also, some testing of youtube and various HTML5 demo sites
 should be performed, especially those involving rendered graphics and
 synchronized animations.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/1517#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list