Re: [tor-bugs] #18279 [Applications/Tor Browser]: Javascript setTimeout can be used for high resolution clock

[Tor Bug Tracker & Wiki]

#18279: Javascript setTimeout can be used for high resolution clock
--+--
 Reporter:  cypherpunks   |  Owner:  tbb-team
 Type:  defect| Status:  closed
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:  fixed
 Keywords:|  Actual Points:
Parent ID:  #16110| Points:
 Reviewer:|Sponsor:
--+--
Changes (by gk):

 * status:  new => closed
 * resolution:   => fixed


Comment:

 Okay, thanks. I think we are  good here to close this ticket.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #18279 [Applications/Tor Browser]: Javascript setTimeout can be used for high resolution clock

[Tor Bug Tracker & Wiki]

#18279: Javascript setTimeout can be used for high resolution clock
--+--
 Reporter:  cypherpunks   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:  #16110| Points:
 Reviewer:|Sponsor:
--+--

Comment (by Thorin):

 Sorry, you meant are they clamped over workers, service workers, iframes:
 no idea. I would think they are fine over workers: see

 `.timeStamp:`
 - page/workers: yes: https://arthuredelstein.github.io/tordemos/event-
 timestamp.html
 - service workers/iframes: no idea

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #18279 [Applications/Tor Browser]: Javascript setTimeout can be used for high resolution clock

[Tor Bug Tracker & Wiki]

#18279: Javascript setTimeout can be used for high resolution clock
--+--
 Reporter:  cypherpunks   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:  #16110| Points:
 Reviewer:|Sponsor:
--+--

Comment (by Thorin):

 Tom did all the timing into the privacy.resistFingerprinting pref (that's
 what I call RFP). He put them behind two prefs (see at least
 https://bugzilla.mozilla.org/show_bug.cgi?id=1217238 &
 https://bugzilla.mozilla.org/show_bug.cgi?id=1369303 - in FF55/56)
 - privacy.resistFingerprinting.reduceTimerPrecision.jitter
 - privacy.resistFingerprinting.reduceTimerPrecision.microseconds

 `dom.enable_resource_timing` & `dom.enable_performance` are two prefs I
 can think of that no longer make a difference, when RFP = true. And
 `dom.event.highrestimestamp.enabled` must be true - that pref has just
 been removed anyway
 (https://bugzilla.mozilla.org/show_bug.cgi?id=1485264).

 > Hrm, you mean timing is not clamped in those cases

 **Absolutely**. What I'm saying is that that without RFP=true (and there
 is more tied behind it than just timing as you know), then you lose
 everything. Example: disable RFP, run the two timing tests, you leak high
 precision timing. Hence I think you should lock RFP :) Just saying

 Might pay to ask tom, because I'm not an expert

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #18279 [Applications/Tor Browser]: Javascript setTimeout can be used for high resolution clock

[Tor Bug Tracker & Wiki]

#18279: Javascript setTimeout can be used for high resolution clock
--+--
 Reporter:  cypherpunks   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:  #16110| Points:
 Reviewer:|Sponsor:
--+--

Comment (by gk):

 Replying to [comment:4 Thorin]:
 > This can be closed as resolved fixed: unless you wanted to test them
 over workers, service workers (which are disabled in Private Mode),
 iframes. Timing is clamped by RFP

 Hrm, you mean timing is not clamped in those cases?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #18279 [Applications/Tor Browser]: Javascript setTimeout can be used for high resolution clock

[Tor Bug Tracker & Wiki]

#18279: Javascript setTimeout can be used for high resolution clock
--+--
 Reporter:  cypherpunks   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:  #16110| Points:
 Reviewer:|Sponsor:
--+--

Comment (by Thorin):

 FWIW I think you should lock RFP except in alpha

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #18279 [Applications/Tor Browser]: Javascript setTimeout can be used for high resolution clock

[Tor Bug Tracker & Wiki]

#18279: Javascript setTimeout can be used for high resolution clock
--+--
 Reporter:  cypherpunks   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:  #16110| Points:
 Reviewer:|Sponsor:
--+--

Comment (by Thorin):

 Added another image to illustrate what happens when RFP is disabled

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #18279 [Applications/Tor Browser]: Javascript setTimeout can be used for high resolution clock

[Tor Bug Tracker & Wiki]

#18279: Javascript setTimeout can be used for high resolution clock
--+--
 Reporter:  cypherpunks   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:  #16110| Points:
 Reviewer:|Sponsor:
--+--
Changes (by Thorin):

 * Attachment "timing=noRFP.png" added.


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #18279 [Applications/Tor Browser]: Javascript setTimeout can be used for high resolution clock

[Tor Bug Tracker & Wiki]

#18279: Javascript setTimeout can be used for high resolution clock
--+--
 Reporter:  cypherpunks   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:  #16110| Points:
 Reviewer:|Sponsor:
--+--

Comment (by Thorin):

 This can be closed as resolved fixed: unless you wanted to test them over
 workers, service workers (which are disabled in Private Mode), iframes.
 Timing is clamped by RFP

 **setTimeout**
 {{{
 setTimeout
 
 setTimeout
 run again
 
 
 var counter=1; var r="";
 function logTime() {
   if (counter < 201) {
 var today = new Date();
 r = r+(today.getSeconds() +"."+ today.getMilliseconds() +"
 "+ counter +"\n");
 var t = setTimeout(logTime, 1);
 counter += 1;
 if (counter == 201)
 {document.getElementById("r").innerHTML=r}
 };
 };
 function run() {
 counter=1; r="";
 document.getElementById("r").innerHTML=r;
 logTime();
 };
 
 
 
 }}}

 **setInterval**
 {{{
 setInterval
 
 setInterval
 run again
 
 
 var counter = 1; var r="";
 function logTime() {
 setInterval(function(){
 if (counter < 201) {
 var today = new Date();
 r = r+(today.getSeconds() +"."+
 today.getMilliseconds() +" "+ counter +"\n");
 counter += 1;
 if (counter == 201)
 {document.getElementById("r").innerHTML=r;}
 };
 }, 10);
 };
 function run() {
 counter = 1; r="";
 document.getElementById("r").innerHTML=r;
 logTime();
 };
 
 
 
 }}}

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #18279 [Applications/Tor Browser]: Javascript setTimeout can be used for high resolution clock

[Tor Bug Tracker & Wiki]

#18279: Javascript setTimeout can be used for high resolution clock
--+--
 Reporter:  cypherpunks   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:  #16110| Points:
 Reviewer:|Sponsor:
--+--
Changes (by Thorin):

 * Attachment "timing.png" added.

 sample of code run

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #18279 [Applications/Tor Browser]: Javascript setTimeout can be used for high resolution clock

[Tor Bug Tracker & Wiki]

#18279: Javascript setTimeout can be used for high resolution clock
--+--
 Reporter:  cypherpunks   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:  #16110| Points:
 Reviewer:|Sponsor:
--+--

Comment (by arthuredelstein):

 A similar thing can be done with `window.setInterval`.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs