755284 - Fingerprintable information in update behavior

Status: UNCONFIRMED

(Toolkit :: Application Update, defect, P3)

Description

[Anonymous]

If update checks are enabled, Firefox seems to perform them at exactly the interval specified in the app.update.interval preference. (Tested with a 120-second interval and leaving the browser running.) This leads to a minor potential way of fingerprinting users on anonymizing networks like Tor because output relays can observe an update check occurring at a precise second corresponding to a particular user.

I realize this is a minor issue and difficult to exploit, but the solution is also appropriately minor. I assume it will be enough to simply randomize the scheduled time of next update (or the time stored in the lastUpdateTime settings, whichever) by up to 5% of the update interval. This fix will still preserve the user-set meaning of the app.update.interval setting, on average.

Comment 1

[Justin Dolske [:Dolske]]

Interesting find. Yeah, throwing some randomness into the update interval seems like it should be simple and effective. Although I'm curious how effective tracking would be as-is... The browser itself will have some slop (ms?) in the timer firing, and I assume onion-routing adds lots of random latency (intentional or not).

Should probably look at other things which update/ping in the background too, since they probably have the same issue. Maybe creating a TYPE_REPEATING_SLOPPY timer would be useful... :)

Comment 2

[IAA Dubai]

https://itsaboutall.com

Comment 3

[IAD Dubai]

https://itsaboutdubai.com

Comment 4

[IADIY]

https://itsaboutdiy.com