JavaScript has a way to determine your local system time and date. This could be used for fingerprinting as an attacker can determine the difference in clock skews and offsets from other users and may also be able to determine your location by checking which countries have a similar time as you.
I created a website to test this and it even works with the Tor Browser.
https://madaidan.github.io/index.html
This seems pretty bad and I haven’t seen anyone talking about this. Does anyone else know about this?
sheep
July 30, 2019, 5:29pm
2
Of course, the risks of JS are very real and are discussed at length.
One of the reasons of setting UTC time in Whonix plus the whole sdwdate system.
But I’m sure you already know this…
Yes but I’ve never seen anyone talk about this specific part and it seems pretty dangerous.
They don’t prevent this.
On Qubes/Whonix, using Tor Browser, your site reports the exact same time as date
(UTC). Not the true system time.
date
displays the true system time.
Not in my Whonix VMs. date
always has shown UTC time, but that is not my system time. date
in dom0 or Debian based VMs shows my true system time.
sheep
July 31, 2019, 7:52am
7
date in either Tor Browser or just firefox, ran within VirtualBox Whonix VM, shows the VM (UTC) time. Not the true system time.
It’s the system time from the perspective of the VM. Obviously, the VM can’t get the host’s time with date
.
sheep
August 1, 2019, 6:33am
9
It’s the time set by sdwdate, which is the median time of three servers chosen randomally from whonix’s list. Correct, JS has access to that.
sdwdate mitigates that to some extent, but I agree, not fully. Not between one setting and another. Indeed JS makes fingerprinting way easier.
Since it’s UTC time in all Whonix machines that won’t be possible.
By the way, it’s possible to set other timezones:
Continuing with UTC as default, can we add an option to set the system time to another timezone?
Motivation:
Make it more difficult for a site to classify origin as Whonix user in some case. E.g. Japanese site that receives Tor traffic in Japanese timezone but sees the host has UTC timezone. Can be a UK-based Japanese staying up at nights, otherwise a Japan-based Whonix user.
In Tor before VPN setup, the site observes server (VPN) time is different than host time. That can be a reason to dis…