[tor-bugs] #6217 [Firefox Patch Issues]: Fingerprintable information in browser update behavior

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Fri Jun 22 10:07:49 UTC 2012


#6217: Fingerprintable information in browser update behavior
----------------------------------+-----------------------------------------
 Reporter:  cypherpunks           |          Owner:  mikeperry
     Type:  defect                |         Status:  new      
 Priority:  minor                 |      Milestone:           
Component:  Firefox Patch Issues  |        Version:           
 Keywords:                        |         Parent:           
   Points:                        |   Actualpoints:           
----------------------------------+-----------------------------------------
 This was reported to Mozilla but I thought it would probably not get
 considered properly unless reported here:

 https://bugzilla.mozilla.org/show_bug.cgi?id=755284

 >Fingerprintable information in update behavior

 >If update checks are enabled, Firefox seems to perform them at exactly
 the interval specified in the app.update.interval preference. (Tested with
 a 120-second interval and leaving the browser running.) This leads to a
 minor potential way of fingerprinting users on anonymizing networks like
 Tor because output relays can observe an update check occurring at a
 precise second corresponding to a particular user.

 >I realize this is a minor issue and difficult to exploit, but the
 solution is also appropriately minor. I assume it will be enough to simply
 randomize the scheduled time of next update (or the time stored in the
 lastUpdateTime settings, whichever) by up to 5% of the update interval.
 This fix will still preserve the user-set meaning of the
 app.update.interval setting, on average.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/6217>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list