[tor-bugs] #8170 [Tor]: get independent from host clock / insecure NTP

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Feb 6 00:03:32 UTC 2013 

#8170: get independent from host clock / insecure NTP
--------------------+-------------------------------------------------------
 Reporter:  proper  |          Owner:     
     Type:  defect  |         Status:  new
 Priority:  major   |      Milestone:     
Component:  Tor     |        Version:     
 Keywords:          |         Parent:     
   Points:          |   Actualpoints:     
--------------------+-------------------------------------------------------
 NTP server admins can willingly or if their server gets compromised and
 any man-in-the-middle can tamper with NTP replies and therefore introduce
 a unique clock skew.

 Almost no one is using authenticated NTP, because there are no
 instructions in a forum or blog how to enable NTP authentication.
 Therefore almost everyone uses standard configuration and is at risk.

 Also due to a clock defect, low battery, clock can skew without tampering
 with NTP.

 Since the browser ^1^ and other applications transmit time stamps, it can
 be used to track individual users. For example, a clock skew of +/-30
 minutes may not worry the user ("That damn clock is wrong again. I use my
 watch instead.") but could identify the user even when using Tor.

 Also adversaries who didn't introduce the clock skew could use it to
 identify users. If the user visits a website under adversary control ^2^
 without Tor for some non-anonymous activity, it knows the clock skew.
 Later, if the user visits another website under adversary control, it can
 see the same clock skew, which is at least a strong anonymity set
 reduction.

 ,,
 ^1^ Also #1517 "Provide JS with reduced time precision" wouldn't help
 much, since it wouldn't do something about bigger clock skews.
 ^2^ Nowadays with services like google analytics and facebook like button,
 there are servers which are present on a high percentage of all websites.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8170>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list