Closed Bug 575230 Opened 14 years ago Closed 8 years ago

Provide option to reduce precision of Date()

Categories

(Core :: JavaScript Engine, enhancement)

Product:
Core
Component:
JavaScript Engine
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1217238

People

(Reporter: mikeperry.unused, Unassigned)

Details

The Date object currently provides millisecond accuracy. This accuracy can be used as an identifier based on clock skew, or can be used to accurately measure user behaviours for use in fingerprinting.

At least two companies claim to use this accuracy to fingerprint users when other methods fail: http://arstechnica.com/tech-policy/news/2010/02/firm-uses-typing-cadence-to-finger-unauthorized-users.ars

As such, it would be useful if there was an option for privacy enhancing addons to toggle that could disable this precision, and/or add a random per-page offset to it. This would also be useful for Private Browsing mode.
Private browsing mode is about preventing local traces, not protecting against remote tracking. There are *tons* of ways for a determined host with which you are interacting to track your identity.

Apart from protecting against omniscient (government) tracking, the suggested solution is Tor.

I think this bug is a big WONTFIX, if not INVALID. Cc'ing some smart security/privacy folks to help make the call.

/be
I think it would be nice to offer the option to reduce precision of the Date instances, though this is not something that should be enabled by default.  Add-ons like Torbutton could flip on this feature to help improve their effectiveness.

Such a feature is not in scope at all for private browsing mode, but would be useful if we had a mode that reduced fingerprintability, or for things like Torbutton.
The Tor Project / Electronic Frontier Foundation is paying to have this bug fixed.

"If you know C++ and/or Firefox internals, we should be able to pay you for your time to address these issues and shepherd the relevant patches through Mozilla's review process."

Source: https://blog.torproject.org/blog/web-developers-and-firefox-hackers-help-us-firefox-4
After further thought, this need to be handled at a lower level. Several DOM events have a .timeStamp, and interval timers can be set with high precision. This bug may need to be re-titled/re-filed.

Also, the new Object property hooks of ECMAScript 5 allow us to play with Date ourselves in the content window now, so we can address things like offset ourselves.

The Tor Project is considering attempting to address this by delaying keystroke even delivery to the DOM, which may impact online games: https://trac.torproject.org/projects/tor/ticket/2876

It's not clear which approach would be more damaging, delaying the event delivery itself, or messing with high precision timers..
(In reply to Mike Perry from comment #4)
> After further thought, this need to be handled at a lower level. Several DOM
> events have a .timeStamp, and interval timers can be set with high
> precision. This bug may need to be re-titled/re-filed.

You can re-title the bug by editing the summary. 

Or re-file, if that would be preferable.
Assignee: general → nobody
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.