Time zone spoofing needs to be fixed

[giwhub]

Hello,I found Tor Browser 6.0 is released.It is based on Firefox 45.1.1 and still can spoof the time zone.Maybe you can see their code and fix this bug.

[BLIGEL]

I think the ability to spoof the timezone should be removed since your country of origin can be obtained from your IP. If your IP says USA but your time zone is China it just looks weird. If you use a proxy or VPN, it might be a better idea to just change the timezone on your computer to match the country of the IP.

[ohohohoo]

The reason I'm still using FX44 is because the timezone spoofing feature of RAS. For people like me that is using proxy to browse and only stopped using proxies on specific sites, spoofing timezone is the primary reason on why I use RAS and the only reason why I'm still using the old FX44.

Changing the whole system clock to match the country of my proxy servers is not a solution because all the files created in my computer will be using that timestamp that is going to confuse the user.

[tramway11]

Hi! And based on what the timezone is changed?

[dkasak]

@BLIGEL Why is it weird? This is exactly what would happen if you're travelling or using a proxy while also not changing your timezone settings.

[tramway11]

The Date() string in JS can be changed or not? For timezone insert.

[dillbyrne]

It can be spoofed. The way I used to do it no longer works since mozilla made some changes to FF. I have been able to get some of the script injection code working but nothing related to the date yet.

The way I was doing it previously was to fake the functions that handled the date strings so when they were invoked in the context of the page our functions would be called instead and return our specified strings offset from the current date and time to the desired date and time based on your chosen offset.

The same mechanism would work but I have not yet found a way to hijack the date requests using frame scripts.

[ghost]

Oh darn, I was hoping this would work, just in case there is some merit to this, but I'm not sure there really is...

I was testing it this site;

http://browserspy.dk/date.php

BUT I'd love to have someone explain why they think spoofing time would be good?

First, if you're into all of this, you shouldn't be connecting directly to the Net, you should be on a VPN as example, then the GEO location of that VPN is your time zone spoof :)

I'm not sure if in Windows or MAC this still presents problems for people, but in Linux you change your Timezone to start Firefox like this;

TZ=UK firefox

Now you're reported online with a timezone in the UK.

[dkasak]

@Geyup, it's a good idea because your system time carries a certain amount of identifying information. Spoofing the time removes that information. In your scenario of using a VPN-based proxy to hide your IP address, you would still want to spoof your timezone.

[ghost]

If you're saying to spoof it to match the location of the IP then great, but if you are spoofing it for another location then your IP, then this is wrong, I disagree...

So I'm not sure which side of the fence you are on?

Whatever means you use to cloak your IP address you want the location of that IP and timezone to match.

An IP address from one location and a timezone from another makes you stand out and an easier target, this increase your fingerprint target.

I get the feeling some people are going to look at this and change it, so it doesn't match the location.

I see this coming into play, just like using the Spoof X Forward, which makes no sense, which also makes you stand out. Like HEY I'm using a Proxy/VPN etc., look the IPs don't match, like my Proxy is leaking my VPN address, making you another target...

[dkasak]

I'm not on either "side of the fence", I simply think having the option to set your timezone is a good idea. Not all settings are equally good, of course, since this is a game of statistics and depends on what the typical settings are.

Setting your timezone to something that doesn't match the GeoIP information for your IP isn't necessarily wrong, since this is exactly the same situation as when you're behind certain kinds of proxies (provided the IP of the proxy isn't located in your own timezone).

The problem of uninformed users making uninformed decisions is best solved by having sane defaults and/or good documentation, not by removing the option altogether.

The value of X-Forwarded-For isn't supposed to match the IP from which the HTTP request was made from since it is a field specifying the IP address of the original client/requester. Essentially, by using X-Forwarded-For, you are declaring that your real IP is proxying the request for the IP listed in the X-Forwarded-For field.

[ghost]

@dkasak you make some valid points, one I forgot, a laptop in transit with a different time zone on it.

X-Forwarded-For still makes no sense to me, I personally don't get the value or point of it.

Why would you want to declare a fake IP, when the real IP is still being shown?

[sergeevabc]

Any progress with timezone spoofing?

[Sirove]

+1! Timezone spoofing ETA?

[gatharry123]

Try: https://gist.github.com/prasadsilva/225fd0394a51e52bf62f . I couldn't get it working but that's because of my lack of github know how rather than anything wrong wit hit

[KIMWW]

+1 Timezone spoofing