Re:Not if they follow the spec (Score 2)

Hi marcan, nice to have you included in the discussion. I'm the author of the article. To be fair, the gzip specification was clear from the beginning. In fact I was reading this exact specification when I thought about the impact it could have on tor hidden services. The specification itself clearly states that there are potential problems with universal times under certain systems (i.e. MS-DOS at the time of the specification writing). I thought that maybe current implementations could be flawed, developed the little PoC and started doing tests in the wild. I found that a lot of servers were sending local times instead of unviersal times. The problem with this for me, is that even the universal time leak could be dangerous for hidden services. A lot of hidden services are filtering out 'Date' headers in their http responses in order to prevent getting information from their clock skew. So, yesterday I was with a PoC that was able to extract local time under certain conditions (conditions that I didn't understand clearly) and universal time (thus, clock skew) in other conditions. After discussing it with some friends related to the tor project, I decided that the best was to share it 'as-is'. Maybe further investigation could have been a good idea before sharing, but the possibility of this affecting hidden service privacy forced me to publish it 'as-is', even if further investigation was needed. Today, after a lot of research and help and comments from a lot of people I have better understood the problem and I still consider it a problem. We have found broken implementations of the gzip library under other operating systems than windows and of course, in the end this is a source of potential clock skew leak. So, I consider dangerous and irresponsible considering this a non-issue. I consider important for people managing hidden services to know that gzip is potentially leaking its clock skew, and potentially leaking its local time. I consider important that anyone that is filtering out, or disabling the 'date' header, also takes gzip into consideration. I think that this is just another example of how complicated is to setup a really anonymous hidden service and how even in the gzip stream there could leaks about your local time, or your clock skew. Openly discussing it is very interesting. What worries me is that I received a lot of feedback from people that is running hidden services that didn't knew that gzip was leaking any time information at all. You can read at reddit, or just here how people is surprised to read that in their gzip compressed data there is information about the time, operating system, etc. About your comments regarding why I didn't provide examples of affected hidden services, for me, it is not responsible to openly discussing a privacy issue like that while putting real people privacy at stakes. I consider that putting examples of hidden services compromised by this issue is not going to help in any way to better understand the potential impact of the information contained in a gzip header.