Javascript can be used to get the system time of a user. This allows for fingerprinting via different clock offsets and skews. This also may allow websites to determine the user's location by seeing which country has the same time as the user.
Currently, the Tor Browser spoofs the timezone displayed to websites to UTC but this doesn't spoof the actual system time which can still be gotten with new Date().
The Tor Browser should spoof the time shown to websites so all Tor Browser users have the same time or a random time.
Designs
Child items
...
Show closed items
Linked items
0
Link issues together to show that they're related.
Learn more.
I suspect we can reasonably assume our users have a working clock. Using a 'random' time (or an unchanging time) will almost certainly break websites in fun and interesting ways.
Trac: Resolution: N/Ato not a bug Status: new to closed
I actually tend to agree with cypherpunks here. I don't think it's something we should work on in the short - or even medium term - BUT...
Mozilla had vaguely discussed the idea of building in roughtime in the browser, but then we were stymied on what we would actually use it for. We thought we could use it for showing an accurate "Your clock is set wrong and that may be why you're getting cert errors" error page. But we were afraid of using it for anything else - like cert validation or Javascript - because people do actually rely on setting their system clock back or forward to test cert things or (more commonly) to cheat at online Javascript games.
But I don't think those things would preclude Tor Browser from doing the safer thing and a) getting an accurate clock from and b) using it for everything. Under the guise of a) preventing NTP attacks and b) preventing fingerprinting based on clock skew.
But I don't think those things would preclude Tor Browser from doing the safer thing and a) getting an accurate clock from
you could get clock from trusted DirAuthority or any other of the 1000's of relays :)
TLDR:
sets the local clock by securely connecting with TLS to remote servers and extracting the remote time out of the secure handshake.
a) preventing NTP attacks and b) preventing fingerprinting based on clock skew.
not ntp here. just block udp firewalled all along. tcp only to tor needed. with tlsdate.
.
if implented in browser. further preventing fingerprinting if all tor users use same time source for example from dirauthority handshake for example?!
Trac: Resolution: not a bug toN/A Status: closed to reopened Summary: Spoof the Tor Browser time displayed to websites to Spoof the Tor Browser time displayed to websites if clocks are wrong Version: Tor: unspecified toN/A