Not sure why battery is exposed; I guess that's the result of making browsers more like OSes.
The only really annoying thing is the idiotic WebRTC settings. Their love for "data channels" with zero prompts, despite having no legitimate uses[1], ignores your proxy settings. This should be fixed.
1: I asked someone involved with WebRTC. They suggested "maybe a page wants to communicate with your fridge directly" as a serious use of WebRTC data channels.
Yeah, and that's also a great example of what should NOT be allowed without the user's EXPLICIT permission - simply visiting a link should not result in a torrent download!
No, it doesn't just use a different protocol. It ignores your network settings (proxy) and exposes your local network information.
I can understand not wanting to scare people with "Allow P2P Data Channel", but ignoring proxy settings and revealing all IPs is unacceptable. WebRTC folks toss off these concerns with "there's no way to prevent tracking so heh".
Visiting a link exposes also a lot on default. Browser, OS, Resolution. The major browsers are not build for this needs. Best experience first. BTW: There are extensions to block webrtc ip leak.
We should be reducing the amount of data exposed and fixing the mistakes of the past that allowed so much data to be easily exfiltrated.
> Best experience first.
"Best" is not a defined term. What software developers should (always) be providing is the safest method first. Fancy UI tricks are a far lower priority than safety. If there is any doubt, fail safely.
Anybody that isn't putting safety first is being incredibly irresponsible. Stop leaking data and design for safety and security first. Yes, this it will be harder to make a nice user experience. In time, this will improve, but in the meantime safety is not something that can simply be ignored.
> extensions
Safety is not an optional feature that only some people should have.
<video> tags are a more standardized part of the web. Although I should be able to disable auto-buffering as well as auto-play.
Ideally the user can control whether all types of content get loaded—images, CSS, JavaScript, web fonts—or even allow/deny individual domains or files, but so far browsers require an extension like uMatrix for that.
The fact that some browsers do allow you to control these things, even if you have to use an extension because they don't support it themselves, is crucially important and totally acceptable. AFAIK there is nothing equivalent to NoScript for IE, however, so that's just one of many reasons I don't use it.
I don't really mind the trend in browsers over the last several years to give explicit access to more OS resources, it frees us from both Flash and Java Applets, Adobe's PDF reader, and other crap. But I'm not sure the browser replacements, at least in the short term, will actually get the security models any better. Is there any reason to prefer all these new JS APIs over allowing a Java Applet, besides "Java Applets are insecure"? It's certainly not performance -- I know many people chuckle when someone demos the latest X in JS (with or without WebGL) where X was done better with less hardware years ago via an applet. Secure or not, it's incredibly difficult to actually run an applet these days, and it's a strange disconnect with how the browser is fine doing so much else without warning. Will we see a similar increase in difficulty for running JS that can be just as insecure?
I've been a NoScript and adblock advocate for many years, but the first is often met with alien stares and the second is only successful when I install it on their browser myself or when I'm recommending adblocking to either other technical people or people who really hate ads even on TV. There's a weird resistance some people have that can get brought up in both cases, though, and it's probably going to take more than a few big public fails due to malicious websites before people will stop bringing it up. The argument adblocking users have been making for ages: this is my computer, my browser, and neither is under any obligation to act in a particular way based on the contents of what your server sends me. I don't like your ads? I can choose not to see them. I don't trust your JS? I can choose not to execute it. I don't like your theme? I can load my own. It's very weird to me that people oppose this view.
Do you use NoScript in everyday? I think while it would make those annoying APIs go away, the web site experience would became a bit poor and even not work properly.
I'ts funny with WebRTC, because I rememeber when the same could be accomplish with Java applets (Java ignored any proxy settings, which allowed to deanonynimize people on the internet, e.g. it no longer mattered if you were behind TOR if you had Java enabled). I think it was considered security bug and was patched later. Seems that WebRTC people are not so security-wise I suppose...
I am not sure if this battery is not just FUD and some other sections as well. Because I currently have no battery in my laptop (no battery detected) and site is saying "Charging: charging", "Battery level: 100%", "Charging time: 0h"
Just like with mobile apps, battery info can help websites decide whether they should run a complex operation now. It also helps detect regressions if a commit happens to suck power faster. Unfortunately, it's more bits available to deanonymize users across websites.
Data channels are useful for synchronizing your phone and your laptop. All native platforms support this. Most websites do it with a roundtrip to the server. So it would be mysterious to the user why a permission is prompted for something that should just work. Obviously it's bad for privacy though.
So painting it as having no legitimate uses is a bit one-sided. There is no easy fix.
What websites do CPU-intensive work that can be delayed for hours?
In general I want a website to suck as much power as possible so it can be done sucking power as soon as possible, whether I'm on battery or not. If you want to find waste, track execution time and bandwidth use.
I'm not sure I understand your point. Many apps (would) benefit from delaying some tasks and waiting to be on charge and a wifi connection. Typically, synchronization for example requires the device to be awake for a long period because of network roundtrips, transfers, disk seeks and CPU work. Software updates are similarly impactful on the battery.
At least, it makes sense to measure battery usage to optimize your code. And in my opinion, it's also beneficial to react to battery events (delay when on low battery, process when on a wall socket) and network events (bad coverage vs. strong wifi).
Battery levels are exposed in the Battery Status API [1] which is currently implemented on Firefox and Chrome, both desktop and Android editions [2] but not on iOS.
- some stuff from my User Agent string (changing it to IE11 made it think I'm on Windows 8)
- my public IP, network provider and approx. downstream speed.
I don't use Facebook or Google so I don't know if those things would have worked.
None of the network scanning worked, it didn't use the geolocation stuff, etc.
If Chrome/Firefox/IE do allow access to all/some of those things without prompting, jesus titty fucking christ.
All of you claiming "Safari is the new IE6" need to perhaps pay attention.
Google has a vested interest in pushing browser technologies regardless the cost to privacy or user security - their ChromeOS devices depend on a world where web apps can do everything.
Same here, it didn't detect some of the things it should have (theoretically?), e.g. AdBlock plug-in, Twitter & Co., and the EXIF data wasn't fully exposed. The geo location was wrong by some 70 miles, but that's a question of a proper geoip database I suppose.
I don't think it's possible without user's permission, so no it's likely one of those public GeoIP databases which are usually a bit behind, inaccurate and incomplete.
Hmm yes, quite odd. The first time I loaded the site, nothing appeared in the location area, leading me to suspect that it was abusing a prompt-less device location API.
After your comment I loaded the page again, and sure enough it shows a very specific, but quite wrong location. Wrong province wrong.
I actually got better GeoIP results than that (down to the local city) on my old broadband connection. I just tried it now (we moved 2KM and changed ISP, from DOCSIS to ADSL) and all I get is the country now - possibly because its dynamic whereas our DOCSIS IP never seemed to change.
So it's kind of creepy on Google's part that they even offer this service, but the data seems to be so woefully useless that I can't believe anyone would actually use it.
It helps you figure if a user is signed into a social network. One might think this is not possible because cross-origin restrictions but this trick shows you how to bypass it.
The login page will redirect to the favicon if the user is already logged in, or it will serve a regular HTML page if the user is not.
So, the script creates an (invisible) <img> element for every website which points to the login page (which might redirect to the favicon). If it receives an image, the user is already logged in and the onLoad() callback will fire. Otherwise, it will get an HTML page, so the onError() callback will fire.
It could work with any image on the website, not just the favicon.
This is a perfect example of what an attacker could do with your browser. If you can get a user's browser to run code, as this site demonstrates there is a lot of information you can find. And coupled with a Cross-Site Request Forgery, you could get access to a bunch of things. If your home router has a vulnerability that bypasses authentication and allows you to execute commands on the router or similar (which is not uncommon, home router security is awful), you could get a foothold into the network just by sending someone a email with links that they are likely to click on.
Note to the author: I am not entirely sure how the WebRTC connection gets you a local IP, it seems to be connecting to stun:stun.services.mozilla.com. Anyway,that grabs the wrong local address for me, and gets the IP of my docker0 interface, perhaps it could grab more IPs, or is it just displaying the first one it finds?
Edit: Oh, the getIP function just calls the callback on the first candidate it finds.
I suppose something that's unlikely to ever 404, and on a CDN that's "fast" for folks everywhere in the world would be best, so upload.wikimedia.org is a good choice.
I actually locked myself out except for console access, so some of this is from memory/Googling:
1. Connect Raspberry Pi to local LAN and get wifi setup (I VLAN wireless traffic, so I have it listening/connected to both)
2. Change iptables default policy to DROP
3. Add relevant ALLOW rules to make sure basic stuff like DHCP still works. I added an allow rule to talk to another machine that runs a PHP script that talks to Twilio
4. Spend about a week adding custom DROP rules for any normal broadcast traffic on your network (Bonjour, random auto-discovery stuff, etc)
5. If you have properly excluded everything "normal" you should be able to run "iptables -vL" about 24 hours apart and the packet count next to the INPUT chain policy will not have incremented (remember we have a default of DENY)
6. Add a final rule of 'iptables -A INPUT -m limit --limit 2/min -j LOG --log-prefix "ZOMG: " --log-level 4'
7. Write a bash script to monitor syslog, parse the log, forward to the before-mentioned script on another host
I think a button would be more appropriate. Not everyone reads HN on a network they control and port scanning one's neighbors can lead to some unpleasant conversations.
Weirdly it's wrong for me, there's LAN IPs on the list that don't exist, and it's missing ones that do. Firefox on Ubuntu, with uBlock Origin, over WiFi.
You should also fix the copy. You have "To prevent your browser from accessing your Device Orientation use NoScript." appear twice, the second time under "Network Scan".
Someone should make a smartphone app version of this to demonstrate what is accessible via the app permissions that most people just blindly accept at install time.
"Here are all the nudie pics on your phone as identified by our nudity detection algorithm. Here is a list of your probable work and family contacts. Here is the MMS that you really don't want this app to send on your behalf!"
Only for the very latest versions of Android OS that most people don't have and probably won't for several years due to Android's software distribution model.
Outside our tech filter bubble where we upgrade to a new flagship phone every year, millions of people use low-cost, prepaid, or hand-me-down phones that have long been on the market, and stopped receiving software updates years ago through the broken supply chain of AOSP -> device mfr -> carrier.
I didn't realize that browser would spill my local IP address, or might be able to scan local devices in the same network. Shouldn't browsers have settings to enable/disable access to device sensors or data?
While it hardly surprises any of HN audience, it's a GREAT showcase for a less technical audience.
I see that you removed automatic network scanning due to a comment here; but since it's an educational project, I think it would be valuable to add a comment that explains that a malicious website could get that info without consent.
I see NoScript being recommended but if you're not using Firefox this isn't an option. Lukily both uBlock[1] and uMatrix[2] are cross platform and will work on most (any?) Chromium based browsers as well as Firefox. All instances of uBlock in this post are referring to uBlock Origin[1].
In addition to NoScript both uBlock[1] and uMatrix[2] can be configured to block javascript (you can block both 3rd and 1st party javascript with either). In fact even on Firefox I would recommend trying uMatrix instead of NoScript because of the interface but my opinion is probably biased since I've been using it for some time now. You can keep NoScript enabled in this situation just make sure to whitelist TLD's and allow scripts globally (also remove the built in whitelist while you're at it).
If you want a simpler solution which offers the best bang for your buck then using uBlock in medium mode[3] is what I would recommend. This will block 3rd-party scripts and iframes (globally). Any page breakage that occurs as a result can be very easily handled by setting a noop for scripts and/or iframes for that pages scope. You can also block 1st party scripts if you really want to but it will likely cause a lot more stuff to break. uBlock can also enable browser settings that will prevent WebRTC leakage under certain circumstances.
On a side note if you're using even just uBlock then that will likely remove the need for running additional privacy extensions (save ones that deal with cookies) like Disconnect which also block network requests (you can use the Disconnect lists from within uBlock). uMatrix does give you the control over cookies.
I switched from easy to medium mode after reading following your advice. How would you suggest dealing with for instance youtube.com now that no videos will load?
Btw only hard mode stops any browser details leaking on the test site: http://webkay.robinlinus.com/ which is awesome, but I wonder how much time you have to spend fixing all the sites that you visit that will be broken in this mode.
The easiest way is to enable 3rd party scripts on youtube. While at youtube open the uBlock Origin menu and set 3rd party scripts locally to no-op. After you enable advanced mode the two columns the now appear are for blocking stuff globally (left side) and locally (right side). Globally blocked stuff (like when you set up medium mode to block 3rd party scripts and iframes) automatically gets applied to the smaller scope (local to the site currently open).
To unblock scripts just turn the 3rd party scripts block to gray which equals a noop for that. Green is explicitly allow which is what we DON'T want since we still want filtering from the filter lists to apply. Basically to unbreak sites you start with setting 3rd party scripts to noop then iframes if that doesn't fully fix a site. This setup is rather course grained but is the easiest way to increase security and privacy with the least amount of user interaction (the most bang for your buck basically).
As you browse with this "medium mode" you'll probably interact less and less as your dynamic filtering list gets built up. I wouldn't recommend using the "hard mode" since there's not a lot to gain from it and it will cause a lot more breakage.
Edit: Also I just noticed this but font blocking is also enabled in the medium mode screenshots. This isn't part of the described medium mode and the author of the screenshots likely forgot to turn it off before taking them. However you're free to try it out if you want but keep in mind it can break the look and feel of sites. Also it may not actually block the downloading of the font if you're using Chrome or a Chromium based browser so there's less of a reason to use it on Chrome.
Learn to use "Dynamic filtering" or check about the "Blocking Modes"for example, uBO's abilities far exceed those of your average adblocker that relies only on filterlists
https://github.com/gorhill/uBlock/wiki
Not much of interest showed up for me. Monitor resolution, browser ID, geo location, OS and public IP.
My main browser, Firefox, has uBlock and Self-Destructing Cookies. Tried it in both IE11 and Edge (both of which I never use), and I got pretty much the same result. Firefox and Epiphany on Gentoo Linux also failed to startle me.
I'd like to see a screenshot of a "worst case scenario".
> Geo Coordinates: [lat,lng about 90 miles from the correct location]
I find that error hilarious, because I setup correct in-addr.arpa and ip6.arpa reverse DNS entries for my (static) IP, which returns a domain name that has an accurate LOC record. My IP is two DNS queries away from my location (~10m precision), yet most of the time everyone uses these geoip databases instead of LOC.
I found it shockingly accurate -- it gave the address of a house I can see out my window. I'm on an entirely wired connection, so I know it's not doing it via any sort of wi-fi location, but perhaps my ISP lays out IPs very predictably or something.
This shows just how powerful JavaScript can be --- without it, the site shows nothing.
...which is not entirely correct, since your user agent, request headers, and IP are still visible. There's plenty of other sites which will show you those without requiring any client-side scripting. Here's one just from a quick Google search:
I found it interesting that it could read my battery level and discharging time. As for device orientation, I think I've seen that before but I had forgotten about it being possible.
How about homemade "browsers" that are powered by netcat?
As one informal poll appeared to show, many users questioned on the streets of an American city did not even know what a "browser" was.
Most times I only want to retrieve files (download) via some daemon running on some remote computer and then view them on my computer. That includes text, hypertext, or binary. Pretty much the same as in 1993.
I rarely use a graphical browser to do this. It is not needed.
Instead, today, unlike 1993, I am using a graphical "browser" to _play video_ after I download it (no internet connection). But playing a video file is not "browsing". Something is not right.
Surprised the website didn't list installed fonts anywhere. Fonts, alongside with other device details, can be a great way to fingerprint a browser/user.
Edit: Actually, I believe you need Flash or a Java applet to actually get a list of fonts installed. But you can do other, slow, iterative approaches via JS.
With panopticlick, I consider lots of things very able to fingerprint users. I like that this site says it knows things about you without a previous visit. A site doesn't need to have seen you before and track you all over the web. A site can infer things from what is sent the very first time.
Of course, this isn't the first site to remind of us of that, but the reminders are still good, and interesting to learn about!
The social media thing is cool, I didn't know that trick of using the favicon.ico img under the login of a site to see if the image will load or not. That's pretty nifty
For some reason, this worked really badly when I tried it. About the only things it figured out were that I run Linux on an x86_64 system and use Firefox. Well, it did get my ISP right, so that pretty much limits my location to a single country. Even my display resolution was not right. It did find quite a few devices on my network. All of them non-existent, though.
After checking out the demo, it was scary to realize that websites can access an unexpectedly large amount of information about me.
So I installed Tor with the Noscript addon and the demo was not able to access any details at all. Well it did show my ISP and hardware details, but it was wrong.
This should be the default setup in a browser, Tor+Noscript.
The issues of constant captcha harassment and slow browsing speed using this setup need to be addressed. Slow browsing can be addressed by adding more nodes to route traffic. Regarding the captcha issue though, I am not sure about a good working solution.
>This should be the default setup in a browser, Tor+Noscript.
That's just unrealistic for most people, especially the TOR recommendation. Script blockers are troublesome even for tech savvy individuals, though I highly recommend blocking scripts for anyone who can "handle it". Gorhill's work (via uBlock Origin) provides a much more realistic way of disabling these kinds of malicious and/or invasive actions. Not sure if they're currently blocked, but he's made strides to block crapware and its kin, so this might not be so far off.
I didn't like that it was able to obtain my battery information. I discovered that this can be prevented in Firefox by setting dom.battery.enabled to "false" under about:config.
Some interesting things could happen if you where to start collecting every user's visit with a timestamp.
For example, ip address + timestamp + even a rough geo ip location could reveal travel patterns of users simply visiting your site.
Let's say those travel patterns include visits to nations less friendly to the US and you just might find out some details about someone ( or at least a certain IP ) they really wouldn't want you to know.
All you need is a web server and a little bit of javascript.
There is literally a "network scan" section of the page that informs you it's scanning devices in your local network.
That's why you see webrtc requests to internal IP addresses. I do not see any requests to the router admin panel, and in fact it looks like the code specifically avoids sending a webRTC request to the gateway IP (x.y.z.1)
Thanks for the nice demonstration. Looks like the speed test is running of a very random source image that might not be yours. If it isn't, you might want to look at hosting your own image for it.
I visited the page once on my Android using my HN app's built-in webkit browser, where it displayed some interesting stats like the location, the battery level, ISP, etc.
I opened the same link in Firefox Android with uBlock Origin installed, and got no hardware stats other than the kernel, no software stats, and no IP.
My takeaway from this is to NEVER use an app that uses Webkit.
I'm not sure if that was the intended purpose, but thanks for the eye-opener anyway!
> My takeaway from this is to NEVER use an app that uses Webkit
You're talking about WebKit on android, which was ported there by Google.
The original WebKit (as WebKit, not khtml) browser (Safari) doesn't leak all that information, so my take away would be not to trust a company obsessed with collecting private information and pushing all things into a browser, to have the best track record when it comes to protecting your privacy.
My takeaway would've been; use some sort of protection, like NoScript, uBlock, etc. The choice of web-browser engine seems less important when you globally allow javascript or other similar capabilities.
This is true, but on Android this is not possible on Chrome or the default webkit browser, as Google doesn't allow extensions. So my point still stands.
Between NoScript and Random Agent Spoofer, nothing is correct except my resolution and a couple of plug-ins (like Flash and VLC).
Shutting NoScript off doesn't make too much difference, and I don't think RAS does that much (some sites seem to see through it), so it must be one of the other addons (uBlock Origin, Disconnect, BetterPrivacy, HTTPS Everywhere).
Yes, this will reveal sites that serve broken pages that require javascript to render usually static content (skipping progressive enhancement is lazy and unprofessional). Are those sites worth the expense of everyone learning more fingerprintable data about your and your browser?
The WebRTC scan that others are complaining about is another good reason to shut off javascript. Are other sites doing similar scans, perhaps in a less obvious way? It is insane that random pages even have that ability; it's a huge attack surface that is mostly unknown and unexplored.
> private mode
That's mostly about not leaving data trails on the local device (hence the "porn mode" nickname).
> (skipping progressive enhancement is lazy and unprofessional)
Single page apps are definitely in the "lazy" category. If you send a page without content, that page is broken. You should be prioritizing the safety of your readers.
If developing proper pages is difficult with your develop0ment tools or methods, then you should find a different method - ideally something that handles the progressive enhancement for you.
This inspired me the idea of creating a NoScript label for web sites that don't use javascript. It could be an information passed in the page header as a specification (contract). I have a few web sites without javascript.
I assume you're talking about the <noscript> element (as opposed to something to do with the browser extension with a similar name)?
In which case, it is definitely worth making websites as usable as possible without JavaScript. <noscript> is supported by pretty much all web browsers, including iOS Safari.
Even if your website relies heavily on JavaScript, it is still a good idea to let non-JavaScript users know via a <noscript> element that JavaScript is required, instead of having the page look like a broken mess (or a blank screen).
Do also keep in mind that search engines (generally) do not run JavaScript, so if you want page content to be indexed, it has to be present on the page as it is rendered without JavaScript. <noscript> may help achieve that.
Seeing all the "This site requires JavaScript, please turn on JavaScript and refresh the page" messages I get makes me think of putting all your content in <noscript>s, and then adding a script that writes "For your privacy and security, this site requires that your browser not run JavaScript. Please disable JavaScript and refresh the page." followed by links to sites explaining the bad side of JS-on-by-default and how to turn it off with things like NoScript.
Maybe it'll take off and people will understand, maybe not. But it's something worth pondering.
Safari on iOS doesn't leak anything out of the ordinary for me. The geolocation was way off, identifying my iPhone as being in London (likely due to me accessing the page over a mobile data connection).
You should also be able to detect Retina/normal DPI, in addition to the reported resolution. A bit of "responsive" CSS and checking what was selected using JS should be enough?
Heh, the facebook like detection thing failed utterly. Not sure how, or why. But, I am not even logged into facebook on this computer - and never have been. :-)
If I remember correctly, geoIP traces get your location accurate to your nearest neighborhood Fios box ( or similar ). In cities there's usually one for every few blocks.
Me too, my tower is in fact "laying" not standing,
on a table. Just as an aside, this declaration should read. Your Device is "probably", not propably.
The only really annoying thing is the idiotic WebRTC settings. Their love for "data channels" with zero prompts, despite having no legitimate uses[1], ignores your proxy settings. This should be fixed.
1: I asked someone involved with WebRTC. They suggested "maybe a page wants to communicate with your fridge directly" as a serious use of WebRTC data channels.