JavaScript time fingerprinting

JavaScript has a way to determine your local system time and date. This could be used for fingerprinting as an attacker can determine the difference in clock skews and offsets from other users and may also be able to determine your location by checking which countries have a similar time as you.

I created a website to test this and it even works with the Tor Browser.

https://madaidan.github.io/index.html

This seems pretty bad and I haven’t seen anyone talking about this. Does anyone else know about this?

Of course, the risks of JS are very real and are discussed at length.
One of the reasons of setting UTC time in Whonix plus the whole sdwdate system.

But I’m sure you already know this…

Yes but I’ve never seen anyone talk about this specific part and it seems pretty dangerous.

They don’t prevent this.

On Qubes/Whonix, using Tor Browser, your site reports the exact same time as date (UTC). Not the true system time.

date displays the true system time.

Not in my Whonix VMs. date always has shown UTC time, but that is not my system time. date in dom0 or Debian based VMs shows my true system time.

date in either Tor Browser or just firefox, ran within VirtualBox Whonix VM, shows the VM (UTC) time. Not the true system time.

It’s the system time from the perspective of the VM. Obviously, the VM can’t get the host’s time with date.

It’s the time set by sdwdate, which is the median time of three servers chosen randomally from whonix’s list. Correct, JS has access to that.

sdwdate mitigates that to some extent, but I agree, not fully. Not between one setting and another. Indeed JS makes fingerprinting way easier.

Since it’s UTC time in all Whonix machines that won’t be possible.

By the way, it’s possible to set other timezones:

Related: