Another is security chicken and egg. "Because A isn't secure, there's no point in securing B. And because B isn't secure, there's no point in securing A." I've seen arguments along those lines used against improving the security of, for example, DNS and SNI. Or just DNS in general. "There's no point in securing DNS because your ISP can see what IP addresses you connect to."
The all-or-nothing argument has been used to argue against HTTPS. "State actors like China can circumvent HTTPS, since they control trusted CAs! So why use HTTPS at all?"
Then there's the arguments against security because "it makes development harder!" People have argued against mandatory HTTPS saying that it makes developing websites harder.
The list goes on.
Luckily it seems that pro-security and pro-privacy succeed in the end, for the most part. But those that use these pathological arguments have certainly delayed things more than they should have been.
Where foobar.js just returns something like "var id=0x1234567", the user who doesn't want to be fingerprinted cannot cache this script because it could be uniquely generated.
I think there is a chicken and egg here combined with IP incentives to not fix how web browsers work.
I hoped the great firewall would have accidentally fixed this by making it preferable to refer to hashes that can be found in peer caches irregardless of CDN status.
There is no easy fix to this.
The most anonymity concious would realize they are trying to do banking in what is supposed to be their anonymous session and never fetch the file.. if they somehow missed that they were entering auth details?
The way things need to work on the web involve choices that you apply differently (or IE applies for Windows users.) The defeatist response is not to implement any choices. A typical user will want a small number of PII sites, so let's have only PII mode and autofill their details into forms in any blog!
Am I missing something here?
For example, "weather_at_your_geoip.js".
If it's not cached, then it has to be fetched synchronously for anything depending on its value to work - so it's slow.
If it is cached, then the cached value is known.
If the JS triggers another download, and the browser requests the second resource before the initial JS is done downloading...
Luckily, I guess, securing yourself against state level actors keeps you safe from everyone else that's trying to do bad things, so, win/win?
We don't have locks on our front doors to make it impossible for unwanted people to get inside our houses, we do it to prevent the average person, deter the interested criminal, and hopefully give us warning when it is or has happened.
> Luckily, I guess, securing yourself against state level actors
To be clear, there is no securing yourself against state level actors. You can harden yourself, and reduce your target area and/or footprint, but there's no way to actually make yourself secure.
Yes. Your best bet is hiding. Once you're identified, it's basically over. It's just another facet of the state monopoly on force.
I mean, consider guns. In the US, citizens can own guns. And armed private security is OK, too. But there's consistent push-back against private militias, armies, etc. Unless they work only outside the country, in acceptable contexts.
You can, if you gain the support of an opposing, comparable state actor. That's what Snowden has employed. But 100% security is still a myth, not only against state actors... reality itself is just not like that. Unless you can hide inside a black hole.
First and second tier websites already switched it on long ago. Because in China we had an ancient tradition for ISPs to sniff and modify user's traffic to (for example) inject their own affiliation codes to the web request. Those websites hates it of course.
Given Chinese govt has been controlling some CAs, China vs. HTTPS irony is.. well, less of an irony :)
And of course, in the context of CA, what's truly important is transparency in the audit process and continuous monitoring. Catch them red handed will end their business once and for all. And so far, most of them are rule-abiding.
I don't see the flaw in that one. It does seem kind of extra to secure DNS. What's the argument in favor?
> "State actors like China can circumvent HTTPS, since they control trusted CAs! So why use HTTPS at all?"
This one I agree is wrong, but not for something-is-better-than-nothing reasons. I think it's wrong because when Chinese CA's abuse their position they get blacklisted: https://arstechnica.com/information-technology/2015/04/googl...
If ISPs control your DNS, then they can block domains they don't want you to reach or redirect unknown domains to their own ad pages like Comcast has in the past. If you use someone else's DNS, your ISP could still block network packets sent to certain IP addresses, but they wouldn't want to block all AWS IP addresses just to block one site on AWS.
> when Chinese CA's abuse their position they get blacklisted [in Chrome]
AFAIK, Chrome has very small market share in China. Most Chinese users use chimeric browsers that combine Chromium and IE's Trident engines. Many Chinese bank and government sites require NPAPI plugins for custom crypto, so the popular browsers can seamlessly switch a tab from Chromium to Trident for sites that are known to require plugins.
Well, that's sort of what Russia did to try to ban Telegram...
Even on the Russia side of things there are advantages.
If you use your ISP's DNS, they can block a specific site or service with very high granularity and zero cost. If you don't, they can still block things, but they have to resort to cruder methods that risk annoying customers/citizens and degrading their overall network health.
Over time these extra annoyances might become a kind of death by 1000 cuts, allowing ISPs and countries that don't censor to outperform them in ways that even ordinary, privacy/freedom ambivalent people care about.
This is all quite proper. It's healthy for censorship (even when it's possible) to have costs. Where possible, we should try to build technological infrastructure so that networks that censor won't be able to compete on an even ground with the networks that don't.
But if you are using VPNs and/or Tor, it's crucial to secure DNS. Tor exits do DNS lookups for clients. And properly configured VPN services do as well.
In TLS 1.3 (not yet officially published as a standard but basically finished and already drafts are used by Firefox, Chrome, and Cloudflare) only SNI remains plaintext.
So yes, the FQDN you're connecting to will still be revealed, but an adversary can't trust it, unlike the certificate itself, you could be lying if the remote server lets you.
If you scroll back a few days HN discussed the Internet Draft about SNI encryption (it's a problem statement rather than a proposed solution) so they want it, it's just not clear how it could be done (there are lots of bad / ineffective options)
Perhaps the ISP has fingerprinted the pages of every website on every shared IP address so they can easily determine which website the user is visiting? Why rely on unencrypted DNS or unencrypted SNI when it is so trivial to map IP addresses to domains.
A poor example, but consider this single IP address 18.104.22.168 with a reverse lookup returning a 23M list of 1,283,151 domains.
Why not make some browser extensions that randomly connect to all sorts of websites and download random web pages?
There's plenty of bandwidth for us to do that these days, and your real browsing habits should be able to hide in the noise.
Of course, for something more sophisticated, the "random" browsing should statistically match real web browsing, to make traffic analysis more difficult.
What’s popular in the tech community is some combination of laziness and naive political cynicism masking as strategy or anarcho-libertarianism.
What are you referring to?
The issues you are raising are indeed real issues, that will be eventually addressed. And that "eventually" largely depends on the pressure that privacy-minded consumers create.
And just because they are not addressed yet, it doesn't mean we shouldn't care about fixing other weak links.
Es, my CC company can infer a lot about me. Yes, they may even be selling that information to others. That doesn’t mean that I want anybody who can MITM my requests to be able to see what I’m doing (or, worse, send me forged content for whatever purpose).
Merchants rely on cc info to track consumer behavior.
Projects like ShopIn.com give me hope that blockchain may decentralize this data and put control back in consumers hands.
If they decide that’s important to them.
Google uses browser fingerprinting for their ads, and to make sure a real user is requesting their services.
I would trust Safari a lot more to implement something like this.
As long as they know the source IP, they can implement some form of tracking.
Browsers in category (2) are not trackable, even though they appear to be fingerprintable. Each page request is a different fingerprint.
What is unclear from the article is whether the studies mentioned (EFF, INRIA) considered that and tested that. Does anyone know? Because privacy does not require non-unique fingerprints, it just requires untrackability.
Other settings stop giving out a list of plugins or fonts. And e.g. unlock or umatriz can rotate your user agent.
It’s not perfect, but with a few tweaks Firefox is much much harder to fingerprint - though IPv6 tends to undo all of that because many providers assign a prefix per customer which will never change and can be used by anyone to correlate.
> privacy defenses don’t need to be perfect. Many researchers and engineers think about privacy in all-or-nothing terms
So browsers can't stop fingerprinting but they can reduce it, and the article author's title falls in the same all-or-nothing trap that they criticize others for. Too often practicality is viewed as defeatism. I don't remember defeatism, I remember practical limitations to stopping all uniqueness vectors but realization that some can be stopped.
But: I don't care if only 5% of internet users are uniquely identifiable. I care if I am uniquely identifiable.
It wouldn't be hard to rank the various attributes by entropy and then you - individually - could calculate the probability that you'd be uniquely identifiable.
Seems like such work would be valuable.
Note that identifiable comes is degrees. If they can't tell me from my wife that doesn't matter for most purposes.
And sees it as an indicator that preventing fingerprinting is possible:
Only a third of users had unique fingerprints,
despite the researchers’ use of a comprehensive
set of 17 fingerprinting attributes.
They also don't seem to measure the performance of CPU, RAM and GPU when performing different tasks.
But yes: Browsers should do more to prevent fingerprinting. But it seems they have no inclination to do so. That they don't plug the WebRTC hole that leaks the local IP is a strong indicator for me that privacy is low on the list of the browser vendors. Or maybe not on the list at all.
Curious, how would that work exactly? (I've never used WebGL yet in any code).
> If it caches resources, adversaries can discover browsing history.
Same question. I was under the impression that cached resources can be accessed only by the domain that introduces them.
About cached resources, it's my impression that adversaries can exploit XSS vulnerabilities for detection. Most simply, you just measure load time.
However, I was using VirtualBox VMs, so it's possible that my results were artifacts caused by restricted choice in virtual graphics drivers. Testing that would be rather tedious, and I'd appreciate correction.
You can also visit their site to see it in action: http://uniquemachine.org/
> Your graphics card does not seem to support WebGL.
So NoScript is blocking WebGL, as promised.
> But there’s another pill that’s harder to swallow: the recent study was able to test users in the wild only because the researchers didn’t ask or notify the users.  With Internet experiments, there is a tension between traditional informed consent and validity of findings, and we need new ethical norms to resolve this.
So the result of their privacy-advocating study was itself only obtainable by breaching the privacy of their participants. (I.e. making them participants without them knowing or consenting to it)
But e.g. being able to read canvas pixels is absolutely insane that it’s allowed.
So if just these sources of huge entropy were default swithed off, as the article says, fingerprinting would be a lot harder.
Another option might be to define closely (pixel-by-pixel) how a canvas should look like after a specific action. That way vendors would have less room for 'their way' of drawing things but the result would look equal and would be useless for fingerprinting.
Similarly, one could define a list of fonts which every browser should bring and all other fonts should be loaded from a server. It would eliminate the 'you have special fonts installed' problem completely.
I suppose a better solution would be to mark the canvas as tainted if any text is drawn onto it, so that pixel reading capabilities are blocked. Another aggressive solution could be to redraw the entire canvas without gpu acceleration if pixel data is requested. Together these would severely limit canvas fingerprinting.
I realize there are edge use cases that need reading a pixel I just don’t agree with the idea that they would more important than limiting tracking. So I think the canvas limiting mode (used in ff safe mode) should be default.
This "all-or-nothing" perspective is rampant on www forums discussing computer topics and certainly HN is no exception. It is particularly acute in any discussions of "privacy" or "security".
There are countless examples.
Earlier this week the topic of SNI rose again to HN's front page.
A minor percentage1 of TLS-enabled websites require SNI. An unfortunate side effect of SNI is that it makes it easier for third parties to observe which websites users are accessing via TLS because it sends domainnames unencrypted in the first packet.
Forum commenters will thus argue because there are other, more difficult means for some third parties to observe these domainnames, e.g., through traffic analysis, that the unencrypted SNI is therefore not an issue worth addressing.
All-or-nothing. If the privacy achieved by some proactive measure is not "perfect" then to these commenters it is worthless.
But the HN front page reference suggested otherwise: It was an RFC describing how the IETF is taking a proactive measure, trying to "fix" SNI, encrypting it to prevent third parties from using it in ways detrimental to users.
There is an easier proactive measure. The popular browsers send SNI by default, even if the website does not require it. The default behaviour is to accomodate a minority of TLS-enabled websites at the expense of all users, including those who may not be using this minority of websites.
To make an analogy to fingerprinting, imagine sending 17 unique identifiers with every HTTP transaction when, say, only 5 are actually needed. The all-or-nothing perspective adopted by forum commenters would dictate that it makes no sense to reduce the number unless the number can be reduced to zero.
Amongst the security folks there is a concept sometimes called "defense in depth". Commenters in discussions about security often agree there is no such thing as "perfect" security and they cannot rely on a single, "silver bullet". They must use multiple tactics.
Is privacy somehow different? There are many tactics users can take that, cumulatively, can make things more difficult for the data collectors.
1 Survey of websites currently appearing on HN
Number of unique urls: 367
Number of http urls: 43
Number of https urls: 324
Number of https urls requiring SNI: 38
Number of https urls requiring correct SNI: 26
"Requiring correct SNI" means SNI must match Host header.
One can fetch 286 of the 324 https urls currently posted on HN with a HTTP client that does not send SNI.
An additional 12 can be retrieved by sending a decoy SNI name that does not match the Host header.
Where is per browser stats, correlations, data points and features? Canvas vs IP vs User-agents?
This is not a case of "defense in depth" or "something is better than nothing." This is the case of a surveillance capitalism asset performing to spec.
Privacy in the browser is/was f-ed, plain and simple. Patch one hole, make two more. That's how it's been for at least 20 years now. I see no reason for that to change until the browser is obsolesced by something even better at fleecing the peasants.