Why are favicons cached separately? I assume it is just code from pre-commercial www days that no one has since bothered to examine or rewrite?
I feel like privacy within modern browsers is a Sisyphean struggle. Their vast and ever-expanding API surface can never be brought under sensible control without splitting the browser into several unrelated tasks that must cross strictly locked down interprocess communication channels. The existing multi-process architecture must be taken to the next level, but who will do the difficult work involved given that of the major players only Mozilla and Apple have a stated incentive for privacy and even there their stated incentive is on fairly weak grounds since one is a profitable corporation while the other is funded by profitable corporations?
There are real-world threats that you can't 100% defend against and yet we are mostly safe because the law is an effective deterrent.
Why not apply the same on the web? How come we have draconian anti-hacking laws (that are sometimes abused), but none of them are used against this tracking where it's essentially the same result as installing spyware?
Privacy is not a technology problem. It's a business problem. As long as the adtech industry is allowed to thrive, as long as people build companies with ad-based or data-resale-based business models, this will be an endless game of whac-a-mole, with the browsers only ever growing in complexity, and building anything on the web only becoming more difficult.
We have to address the root cause: advertising as a business model. My suggestion: let's apply regulatory measures to kill this business model entirely.
Isn't the root cause advertising that depends on data sharing, rather than advertising itself? I think it's fine if a site wants to display advertising that it serves from its own domain, without passing on any data to third parties.
I agree that in terms of privacy alone, an intervention point could be to get rid of third-party ad targeting. But advertising itself - not just targeted one - causes so many pathologies on the web that I'm in favor of focusing on the common cause.
That's what the current lions keep saying (Google, Facebook), but what few unbiased, unsponsored studies keep showing and what nearly a century of advertising "common sense" knew is that they are wrong on multiple levels. Targeted advertising is "preaching to the choir" at best and calculated harassment of your target (micro-)demographic at worst. Neither of those extremes and largely nothing in the middle in between them is actually good for growing a brand.
I have a slow burning boycott of companies that target me too directly, and if trends continue I wouldn't be surprised if that becomes a more general boycott/movement/backlash among the populace.
Advertising can be reformed if we regulate the business models without killing advertising as a whole. It should be as easy as a reboot to pre-DoubleClick/Google advertising best practices that served reasonably well for a century or more.
I don't think this is a solution. Not only is this hard to implement & enforce, but this still ends up legalizing the unwanted processing of consumer's data as long as the processors can pay the fee. Those users should be allowed to decline regardless of how much the processor is willing to pay.
You could force businesses to put a number on it. But in general websites don't just sit on the money they make from ads - they spend it on hosting costs and whatever other business expenses. Note that I'm not arguing whether some of them are still making a fortune with it - but requiring that users are paid for using a service that incurs costs for the other party is... backwards?
Regarding your specific example, the GDPR appears to deal with it easily: any data processing to comply with the law is allowed and does not require explicit consent. This seems to work well (of course, the GDPR is bad because it't not being enforced seriously, but if it was, the scenario you describe wouldn't be a problem)
Also, when I talk about regulation, I'm talking about regulating the intent and/or outcome rather than a particular implementation. If you track someone without their explicit consent for the purposes of targeted advertising or marketing you are in breach of the regulation, regardless of whether you obtained that data online, in the real-world (mobile phone tracking, facial recognition, loyalty cards, etc), by using Tarot cards or even a fortune-telling goldfish.
That's a great question. My guess is that it's because they are used for things like bookmarks and the chrome page that shows frequently visited websites. And that something about those uses made a separate cache logical. A bit of googling does show lots of confusion and bugs because of it though.
Likely because they are used for bookmarks and you don't want clearing the cache to remove all of the icons from your bookmarks.
Of course you could only do this for URLs which are bookmarked however it would be more work (probably why it wasn't done) and would remove icons from your browser history (probably a minor loss).
TL;DR Because they are used outside the context of browsing.
Principle of least surprises for the user is probably at play here. Bookmarks and tab icons seem like reasonably similar "chrome" to the user.
Separating the caches isn't necessarily easy either: it is just as likely to hand the trackers at that point a good signal for people who bookmarked a site based on whatever heuristic ends up being to refresh that cache if it is no longer "recently accessed tabs".
Gosh, I hope the favicon cache bug the authors filed isn't fixed until a broader mitigation against this is implemented.
I find it kinda weird that Solomos reported it as normal defect and even prompted for fix update months later without making it clear it would make FF vulnerable to issue...
I doubt the "never" because it regularly shows me the wrong favicon. This has been true for so many years that I consider it a familiar quirk more than a bug...
> we have disclosed our research to all the browser vendors.
Please consider that the researchers apparently submitted TWO bug reports. One because functionally the cache is broken, one because there's a potential privacy issue.
I also think that it would have been appropriate to notify about the
ulterior motive behind this defect report at the latest when the paper got
published. This underhanded approach of reporting a defect just leaves a bad
The behavior may be an actual defect in the classical sense, but I'm just
wondering what would have happened, had this been addressed "in time" by the
developers. It would seem that the researchers would then have triumphantly
proclaimed that all major browsers are prone to their newly found attack.
Must be somewhat disappointing that it didn't get fixed "in time" to make it
into the paper that way.
"Clear Browsing Data" must clear ALL browser data, as if I was doing a completely fresh install of my browser but maintaining my settings, extensions, bookmarks, and auto-fill.
That is IT. Yes, Google Chrome, you must also delete Google cookies (which they do not do).
A lot of pieces of software non-maliciously keep records of everything you do with them through logs or caches that aren't straightforward to delete and it's the only way I found to have control over it.
This is an interesting approach. Do you have any documentation on to how it was setup? Also, how do you change a setting in your browser? Do you have to rebuild your base layer?
No docs I'm afraid and I set it up too long ago to remember the exact details. I used overlayroot, there are some really good resources on google to set it up like this. If I remember correctly it's just a matter of setting the overlayroot.conf file to:
linux /boot/vmlinuz-5.3.0-51-generic root=UUID=... ro $vt_handoff
I think this blog post describes it well: https://spin.atomicobject.com/2015/03/10/protecting-ubuntu-r...
For modifications to the base, installing or modifying software, etc I have a grub option to disable the overlay system and mount the base partition in read-write so it can be used normally. So I reboot into this option, do my changes, then reboot immediately in overlay mode.
linux /boot/vmlinuz-5.3.0-51-generic root=UUID=... rw overlayroot=disabled $vt_handoff
Unfortunately nuking the whole of the container while effective, it's probably not desired, as it contains various browser settings and browser extensions.
The ability to clear browser data is not quite enough. Caching should be disabled by default in all browsers due to the potential for abuse. Oh no, now companies are getting less conversions and sales due to the loss in performance... Sucks to be them. Actually the more their abuse costs them the better.
Built-in clearing options in Firefox will also leave classes of cached data behind. The only reliable way to wipe everything has been to delete specific files from the Firefox profile folder before the browser launches.
1) this is insane! It even breaks the “sandbox” of incognito mode.
2) Based on how it works I would assume it absolutely decimates the back button functionality, which depending on what you’re trying to accomplish might be a good thing, and 2 seconds isn’t a short period of time. Ppl wouldn’t be that ok with waiting 2 secs even with today’s js heavy loads.
Some thoughts/doubts on it:
1. It's unbelievable that in a world where we promote privacy and freedom of individuals such cross-country trackers exist. It seems more an Orwellian story rather than reality.
2. I'm a bit ignorant on this theme on a technical level (I have a business background, even if working at a tech startup focused on security). There is a growing concern globally over an increasing sensitisation over privacy and over the importance of security. Even Google has promised to remove third party cookies within 2 years, and there is going to be a migration from Whatsapp to Signal (even if Whatsapp clarified a bit on that). Do you think that such fresh tools like these "favicons" or simple tracking will remain long term?
So the bulk of it is: cashing favicons, timing request, multiple redirects through controlled subdomains.
They in turn reference my 2015 take on this: http://dnscookie.com/
With homage Moxie's Cryptographic Doom Principle, I propose the Cache Doom Principle: If a system's behaviour can be influenced by a cache, eventually someone will figure out a way to use that cache to leak data.
Perhaps you could just rely on the user navigating across a number of pages on your attack site.