Changes between Version 2 and Version 3 of Fingerprinting


Ignore:
Timestamp:
Dec 29, 2010 4:41:00 AM (12 years ago)
Author:
robert@roberthogan.net
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • Fingerprinting

    v2 v3  
    2222be considered.
    2323
    24 The WebKit bugzilla entry for tracking progress against items in this page is:
     24The bugzilla entry for tracking progress against items in this page is:
    2525  * https://bugs.webkit.org/show_bug.cgi?id=41801
    2626
     
    4949WebKit defines private browsing as:
    5050{{{
    51 // When this option is set, WebCore will avoid storing any record of browsing
    52 activity
     51// When this option is set, WebCore will avoid storing any record of browsing activity
    5352// that may persist on disk or remain displayed when the option is reset.
    5453// This option does not affect the storage of such information in RAM.
     
    8483== Things that aren't 'Private Browsing' but are 'Fingerprinting' ==
    8584
    86 === 1. Session Isolation ===
     85=== 1. Session Isolation === #SessionIsolation
    8786If you have implemented an anti-fingerprinting mode you don't want a website
    8887to access information from the browser's normal mode - doing so might reveal
     
    110109sidechannel-cookies such as 'window.name'.
    111110
     111== A 'Tracking-Resistant Mode' vs 'A Tracking-Resistant Browser' ==
     112If you implement a tracking-resistant mode which users can switch in and out of then
     113you need to worry about SessionIsolation. If websites can read cookies and cache objects
     114from your browser's 'normal' mode that will undo a lot of the work you have put into
     115managing the user's fingerprint in tracking-resistant mode. This means you will have to
     116ensure the browser maintains separate profiles for each mode and no information is shared
     117between them.
     118
     119This is not a concern if you are impementing a browser that is always tracking-resistant, since
     120you can purge cookies and cache objects without having to worry about the state of any other
     121sessions maintained by the user.
     122
    112123== Creating a Common Fingerprint ==
    113124This page is premised on the notion that the best way to mitigate against
     
    125136hard to implement and even harder to get right.
    126137
    127 = Creating a Static and Common Fingerprint for your WebKit Browser =
     138= Creating a Static Fingerprint for your WebKit Browser =
    128139
    129140== 1. Javascript Objects ==
     
    146157
    147158The document.referrer property needs to be managed in the same way as
    148 [Referer Header and Origin Header] below.
    149 
    150 === ii. History Object ===
    151 
    152 history.length::
    153 This value has potential, in cases where it is unusually high due to prolonged
    154 use of a single browser/tab session, to assist sites in tracking the
    155 user. That said, such users already have a pretty revealing cache and
    156 coookie data set.
     159[#RefererHeader Referer Header and Origin Header] below.
     160
     161=== ii. Window.History Object ===
     162
     163[https://developer.mozilla.org/en/DOM/window.history history.length] has the potential, in cases where it is unusually high due to prolonged
     164use of a single browser/tab session, to assist sites in tracking the user. In the case of long-running sessions you may need
     165to update the value periodically so that it does not become revealing.
    157166
    158167=== iii. Window object ===
     
    190199=== v. Screen object ===
    191200
    192 Torbutton and Torora use the following values for the Screen object's
     201[http://www.torproject.org/torbutton/index.html.en Torbutton] and [https://github.com/mwenge/torora Torora] use the following values for the Screen object's
    193202properties:
    194203
     
    204213}}}
    205214
    206 Entropy for the values provided here is as much as 4.83 bits.
     215Entropy for the values in the Screen object can be as much as 4.83 bits.
    207216
    208217===  vi. Navigator Object ===
     
    210219object and decide on a set of values that can remain static across many
    211220releases as long as possible. You will also need to ensure that the values
    212 decided upon here are also presented in the user-agent HTTP header by your
     221decided upon here are also presented in the [#UserAgentHeader user-agent HTTP header] by your
    213222browser.
    214223
     
    217226it - making it a relatively safe option to follow IE's suit. If you do expose
    218227a list of plugins through this property you will need to ensure your decision
    219 is consistent with the behaviour you have implemented under Plugins below.
     228is consistent with the behaviour you have implemented under [#InstalledPlugins Plugins] below.
    220229
    221230=== vii. Date Object ===
     
    277286  * https://bugs.webkit.org/show_bug.cgi?id=46566
    278287
    279 == 3. CSS ==
     288== 3. Form Auto-Filling ==
     289Javascript can inspect the contents of form fields at any time so auto-completing forms with
     290cached values should be avoided. At the very least you will want to ensure that values cached
     291from the normal browsing mode are not used when in tracking-resistant mode. The safest bet is
     292to disable auto-completion altogether.
     293
     294== 4. CSS ==
    280295
    281296===  i. CSS Media Queries ===
     
    292307CSS rules may be used to inspect locally available fonts. A working example of
    293308this 'font introspection' using simple CSS rules can be found at
    294 http://flippingtypical.org.
     309http://flippingtypical.com.
    295310
    296311WebKit currently does not offer a means of countering this.
     
    299314fonts are locally available when CSS rules are evaluated.
    300315
    301 See also Fonts.
     316See also [#Fonts Fonts] below.
    302317
    303318=== iii. Querying Page History with CSS ===
     
    316331
    317332
    318 == 4. Plugins and Java Applets ==
     333== 5. Plugins and Java Applets ==
    319334
    320335If you want complete control over the information your browser reveals to
     
    330345still scope for collecting a lot of information.
    331346
    332 === i. Using the List of Installed Plugins To Build Up A Fingerprint ===
     347=== i. Using the List of Installed Plugins To Build Up A Fingerprint === #InstalledPlugins
    333348
    334349As well as isolating users who have an exotic set of installed plugins, a major
     
    394409
    395410
    396 == 5. SilverLight And ActiveX ==
     411== 6. SilverLight And ActiveX ==
    397412TBC
    398413
    399 == 6. Fonts ==
     414== 7. Fonts == #Fonts
    400415
    401416A site may render a page in a number of different fonts and then use
     
    408423
    409424
    410 == 7. Cookies ==
     425== 8. Cookies ==
    411426
    412427You either have these (i) disabled completely, (ii) clear them every time a new
     
    416431your implementation of the Page Cache.
    417432
    418 == 8. Third Party Cookies ==
     433== 9. Third Party Cookies ==
    419434
    420435If you are clearing all cookies periodically then third-party cookies are not
     
    426441bug.
    427442
    428 Most WebKit ports offer you the possibility of managin third-party cookies
     443Most WebKit ports offer you the possibility of managing third-party cookies
    429444however you choose, and the default behaviour between WebKit ports often
    430445differs - Safari is the most restrictive as it does not allow 3rd parties to
     
    438453  * https://bugs.webkit.org/show_bug.cgi?id=45455
    439454
    440 == 9. Page Cache ==
     455== 10. Page Cache ==
    441456
    442457The [http://samy.pl/evercookie/ evercookie] is an excellent practical
     
    447462the page cache in the same way.
    448463
    449 == 10. HTTP Headers ==
     464== 11. HTTP Headers ==
    450465
    451466You will need to decide what to do with the Referer header, the Origin header,
    452467the Accept header, and the Accept-Language header.
    453468
    454 === i. User-Agent Header ===
     469=== Manipulating HTTP headers in QtWebKit ===
     470In QtWebKit you can manipulate HTTP headers by subclassing QNetworkAccessManager and
     471reimplementing:
     472{{{
     473QNetworkReply * QNetworkAccessManager::createRequest ( Operation op, const QNetworkRequest & req, QIODevice * outgoingData = 0 )
     474}}}
     475
     476You could then perform the following:
     477
     478{{{
     479    if (req.hasRawHeader("Referer"))
     480        req.setRawHeader("Referer", "/");
     481    if (req.hasRawHeader("Origin"))
     482        req.setRawHeader("Origin", "/");
     483}}}
     484
     485=== i. User-Agent Header === #UserAgentHeader
    455486
    456487Whatever decision you make about the User-Agent header, be prepared to stick
    457 with the values you set initially for as long as possible.
    458 
    459 === ii. Referer Header and Origin Header ===
     488with the values you set initially for as long as possible. The simple reason for this is that
     489every change to the user-agent will divide your userbase into those who have the old header and those
     490who have the new one - creating new, unnecessary entropy each time.
     491
     492=== ii. Referer Header and Origin Header === #RefererHeader
    460493
    461494Manipulating these headers isn't strictly a fingerprinting-resistance
     
    490523aggressive cache-clearing policy.
    491524
    492 == 11. DOM LocalStorage/DOM SessionStorage/DOM GlobalStorage ==
     525== 12. DOM LocalStorage/DOM SessionStorage/DOM GlobalStorage ==
    493526Private browsing in WebKit denies read and write access to DOM storage since
    494527https://bugs.webkit.org/show_bug.cgi?id=49329.
    495528
    496 == 12. GeoLocation ==
     529== 13. TLS/SSL Session IDs == #SessionIDs
     530WebKit does not implement your TLS/SSL network connections, but if you are offering
     531a tracking-resistant mode to users you will need to ensure that you keep a separate
     532TLS session cache for tracking-resistant mode.
     533
     534You need to avoid the situation where a user can go to https://gmail.com in
     535ordinary mode, open a window in tracking-resistant mode, go to https://gmail.com and
     536use the same TLS Session ID from ordinary mode to resume that TLS session.
     537
     538For more information see:
     539  * http://code.google.com/p/chromium/issues/detail?id=30877
     540
     541== 14. TLS/SSL Client Certificates ==
     542As with [#SessionIDs Session IDs], WebKit is not responsible for your SSL stack. But you will need to ensure
     543that you keep a separate certificate store for use in tracking-resistant mode.
     544
     545See also:
     546  * http://code.google.com/p/chromium/issues/detail?id=47129
     547
     548== 15. GeoLocation ==
    497549
    498550You will, um, need to ensure you disable geolocation if it supported by your
     
    504556  * https://www.torproject.org/torbutton/design/#FirefoxBugs
    505557  * http://browserspy.dk
    506   *http://blog.torproject.org/blog/firefox-private-browsing-mode-torbutton-and-
    507   fingerprinting
     558  * http://blog.torproject.org/blog/firefox-private-browsing-mode-torbutton-and-fingerprinting
    508559  * http://www.collinjackson.com/research/private-browsing.pdf
    509560  * https://wiki.mozilla.org/Security/Anonymous_Browsing
     
    513564  * https://wiki.mozilla.org/Thirdparty
    514565  * http://lists.macosforge.org/pipermail/webkit-dev/2009-May/007788.html
    515   * http://flippingtypical.org
     566  * http://flippingtypical.com
     567