TimeBleed

Read the accompanying blog post for more information.

Introduction

TimeBleed is a simple but notable privacy issue resulting from a side effect of the browser same-origin policy. The policy prevents 3rd parties from reading network request responses, but still allows tracking the amount of time taken.

By timing a request to a host, an attacker can check if someone has visited a website recently. Initial connections to a site take more time to resolve the hostname (and perform a handshake, etc), with subsequent requests being significantly faster.

In addition, response sizes can be estimated, although this is more difficult to perform.

While this is not the first incarnation of this concept, there has not been much written about the potential impact on privacy and on anonymity technology. The goal of this "exploit" is to make this issue more well known.

Impact on Tor & other networks

OrFox, Freenet, I2P, IPFS, and ZeroNet are all affected by this to varying degrees. In Orfox, for example, this could be used to detect when a person is visiting specific onion sites. Tor Browser (on desktop) has protection.

The blog post has a report in greater detail about the affect on privacy and on these software.

Proof of Concept

Noscript and other addons may block connections.

Note: this is a secure page. Non-https links may be blocked.

The test varies based on your network, DNS, browser, device, and websites.

Put some links below, separated by new line. Try some sites you have visited recently, & some you have not.

If you use them, try I2P, ZeroNet, Freenet, IPFS, and .onions (in Orfox).