Open
Bug 755284
Opened 14 years ago
Updated 1 year ago
Fingerprintable information in update behavior
Categories
(Toolkit :: Application Update, defect, P3)
Toolkit
Application Update
Tracking
()
UNCONFIRMED
People
(Reporter: c142592, Unassigned)
References
(Blocks 2 open bugs)
Details
(Keywords: privacy, Whiteboard: [fingerprinting][fp-triaged][tor 6217])
If update checks are enabled, Firefox seems to perform them at exactly the interval specified in the app.update.interval preference. (Tested with a 120-second interval and leaving the browser running.) This leads to a minor potential way of fingerprinting users on anonymizing networks like Tor because output relays can observe an update check occurring at a precise second corresponding to a particular user.
I realize this is a minor issue and difficult to exploit, but the solution is also appropriately minor. I assume it will be enough to simply randomize the scheduled time of next update (or the time stored in the lastUpdateTime settings, whichever) by up to 5% of the update interval. This fix will still preserve the user-set meaning of the app.update.interval setting, on average.
|
||
Comment 1•14 years ago
|
||
Interesting find. Yeah, throwing some randomness into the update interval seems like it should be simple and effective. Although I'm curious how effective tracking would be as-is... The browser itself will have some slop (ms?) in the timer firing, and I assume onion-routing adds lots of random latency (intentional or not).
Should probably look at other things which update/ping in the background too, since they probably have the same issue. Maybe creating a TYPE_REPEATING_SLOPPY timer would be useful... :)
Component: General → Application Update
Keywords: privacy
Product: Firefox → Toolkit
QA Contact: general → application.update
|
||
Updated•13 years ago
|
Whiteboard: [fingerprinting]
|
||
Updated•9 years ago
|
Blocks: uplift_tor_fingerprinting
|
|
||
Updated•8 years ago
|
Priority: -- → P5
|
||
Updated•8 years ago
|
Whiteboard: [fingerprinting] → [fingerprinting][fp-triaged]
|
|
||
Updated•7 years ago
|
Whiteboard: [fingerprinting][fp-triaged] → [fingerprinting]
|
||
Updated•7 years ago
|
Priority: P5 → P3
Whiteboard: [fingerprinting] → [fingerprinting][fp-triaged]
|
||
Updated•6 years ago
|
Whiteboard: [fingerprinting][fp-triaged] → [fingerprinting][fp-triaged][tor 6217]
|
||
Updated•3 years ago
|
Severity: minor → S4
|
||
Comment 5•1 year ago
|
||
For whoever picks up this bug for fix: Windows allows scheduled tasks to include a random delay in their execution. Refer to https://learn.microsoft.com/en-us/windows/win32/taskschd/timetrigger
|
||
Comment 6•1 year ago
|
||
(In reply to Chris DuPuis from comment #5)
For whoever picks up this bug for fix: Windows allows scheduled tasks to include a random delay in their execution. Refer to https://learn.microsoft.com/en-us/windows/win32/taskschd/timetrigger
Since this is talking about app.update.interval, the task scheduler is not relevant here since it is not affected by that pref.
|
||
Updated•1 year ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•