In an ideal world, we would require neither boot clock randomization nor sdwdate. The host would always boot would a perfectly synchronization time to begin with. And everyone would always have a perfectly synchronized time always. And online time syncing would be impossible to manipulate with by man-in-the-middle attacks.
Yes.
@marmarek wrote:
For example if attacker have already some selected set of data to
correlate (like “all Tor users in area X”), he/she can easily further
narrow the search by eliminating those with time almost in sync
(+/-5sec).Note, that this +/-5sec (emitted from within Whonix VMs) should only be observable at Tor exit relays, destination websites and onion servers. Not at ISP level. (ISP might observe local clock leaks by the host or other non-Tor VMs.)
Exactly the point. This gives negative correlation between data gathered
at local ISP level, with data from target server/exit relays.
Additionally, if you have some other way to link multiple sessions of
the same person, on the target server (like using the same pseudonym),
you’ll gain much in terms of host clock leak, just because this 10s
range exclusion. Because every session (boot clock randomization run)
gives you information about what 10s range is surely not the user host
clock. After a while you’ll exclude pretty much of the whole ±180s
range giving you quite precise approximation of host clock. In extreme
situation, 18 sessions would be enough (each excluding some 10s range).
Then you need to correlate it with ISP level data.
The point is, when you want to unlink Whonix time from host time, you
need to use as little host time as possible. If you just
choose randomly from ±180s, choosing offset of 0s would be
indistinguishable from some other user randomly choosing offset of 30s
and having host time -30s off (or any other value, as long as both are
the same). But if you exclude ±5s range (or if fact any range), you
help with reducing anonymity by excluding those “clearnet hosts” with time
in ±5s range of the Whonix-ws leaked one.
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?