Tor Browser file timestamp

anon54700922 · February 15, 2024, 8:06pm

I notice that all the files of Tor Browser have timestamp 2000-01-01 00:00:00 +0000.

What is the reason for this?

FranklyFlawless · February 15, 2024, 9:59pm

Probably to prevent metadata leaks.

Patrick · February 16, 2024, 5:03am

Probably reproducible builds.

reference:

anon54700922 · February 16, 2024, 10:05am

Probably to prevent metadata leaks.

How do such leaks work?

Probably reproducible builds.

Is this what you mean?

When looking for other info, I have seen in the source code of Tails that they explicitly run find ... -exec touch --date="${tbb_timestamp}" "{}" \;. That, however, will obviously work only for files, as dirs’ timestamps will change.

What I am actually interested in is if and how unified timestamps contribute to TB’s project goal.

Patrick · February 16, 2024, 10:10am

Yes.

Reproducible builds.

See also:

anon54700922 · February 16, 2024, 12:30pm

Thanks.

By project goal I mean anonymity, i.e. I wonder if it has any direct relation to it or if it is just a technical detail of the reproducible build technology (which itself is a tool towards the project goal).

To put it differently - is one less anonymous if one changes the timestamps and how exactly (if yes)?

I am asking this because, as discussed, web JS and extensions have no direct access to local files anyway.

Patrick · February 16, 2024, 1:09pm

Required technical detail to accomplish reproducible builds.

Nobody ever made such an argument to my knowledge.

FranklyFlawless · February 17, 2024, 12:50am

In the case that your Tor Browser (session) is compromised, an attacker may be able to determine various metadata about the user that may lead to deanonymization. For example, if you decide to change your operating system’s date, time, and time zone, then modify files, an attacker could use that information to build a profile of you, if not done so already. The most valuable metadata would be time zone, as that isolates a user to specific regions.

anon54700922 · February 17, 2024, 8:12am

In the case that your Tor Browser (session) is compromised

How exactly does this happen?

an attacker may be able to determine various metadata about the user that may lead to deanonymization.

But website JS and extensions have no direct access to local files.

Please explain the actual attack scenario.

FranklyFlawless · February 18, 2024, 4:02am

There are many attack vectors, from privilege escalation of Tor Browser itself to crafting malicious downloaded files that report home when opened.

anon54700922 · February 18, 2024, 8:58am

privilege escalation of Tor Browser

How exactly does this work?

malicious downloaded files that report home when opened.

Such malware can read any other file, not just TB’s. So, that seems unrelated.

FranklyFlawless · February 19, 2024, 6:50am

I will let you know once I have the opportunity to learn and practice penetration testing myself.