Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

I don't think Privacy Badger considers tracking via TLS token ids. #1135

Open
eshellman opened this issue Jan 13, 2017 · 17 comments
Open

I don't think Privacy Badger considers tracking via TLS token ids. #1135

eshellman opened this issue Jan 13, 2017 · 17 comments
Labels
enhancement heuristic Badger's core learning-what-to-block functionality low priority

Comments

@eshellman
Copy link

With the implementation of TLS Token Binding in Chrome and in Google services, Privacy Badger should consider "channel ids" to be the equivalent of non-expiring ID cookies. See https://tools.ietf.org/html/draft-ietf-tokbind-https-07#page-17 Advertising companies already have started to use this to replace conventional tracking cookies. OS X Chrome saves the token ids in an SQLite file at "~/Library/Application Support/Google/Chrome/Default/Origin Bound Certs"
@eshellman
Copy link
Author

https://go-to-hellman.blogspot.com/2017/01/googles-crypto-cookies-are-tracking.html
@cooperq
Copy link
Contributor

cooperq commented Jan 18, 2017

Indeed it is not, though I'm not sure that there is a way for us to track this in the chrome API. It is probably worth filing a bug in chrome and firefox to fix this so that we can detect and block this sort of tracking.
@cooperq cooperq added this to the Privacy Badger 2.1 milestone Jan 18, 2017
@eshellman
Copy link
Author

you should be able to partly address this by cookie blocking the top domains that shouldn't be tracking at all - gstatic.com, googleapis.com, etc.

I've not gotten anything back on my chrome bug report (focused on channel ID UI); I don't know enough about the API to file a bug on that aspect.
@dhowe dhowe mentioned this issue Jan 19, 2017
Open
@cowlicks
Copy link
Contributor

@eshellman do you have a link to your chrome bug report?
@eshellman
Copy link
Author

I reported it to Google fonts as a security issue and got a case number [9-3181000015161] but no link. I reported it to Chromium as a privacy issue but received no response at all.
@cooperq
Copy link
Contributor

cooperq commented Jan 26, 2017 via email

@eshellman
Copy link
Author

If Privacy Badger can address the issue, it would be appropriate for EFF to make some noise about it for the corresponding release.
@cooperq
Copy link
Contributor

cooperq commented Jan 26, 2017

Agreed
@cowlicks
Copy link
Contributor

I poked the chromium devs, and got a response. I'm still decoding what it actually means.

https://bugs.chromium.org/p/chromium/issues/detail?id=467312#c23
@cooperq cooperq closed this as completed Feb 27, 2017
@cooperq cooperq reopened this Feb 27, 2017
@dhowe
Copy link

dhowe commented Feb 28, 2017

any update on this?
@cooperq
Copy link
Contributor

cooperq commented Feb 28, 2017

not from my end.
@cowlicks
Copy link
Contributor

cowlicks commented Mar 3, 2017
edited
Loading

Disclaimer: this is all new to me, so I'm probably getting something wrong.

I think there are a few things being confused here, so I'll try to straighten them out: token binding, channel id, token ids, origin bound certificates. A quick explanation of these:

  • origin bound certificates - an abandoned proposal for stronger client authentication.
  • token id - I think this is a understandable conflation of "token binding" and "channel id". It is in the title of this issue, but I don't think it is actually a "thing".
  • channel id - This unfortunately seems to actually be TWO things with the same name. Channel ID was at first another proposal for strongly authenticating clients at the TLS level. This seems to be abandoned now (link). The other use of "channel id" is that chrome labels origins in chrome://settings/cookie with "ChannelID" but they are using token binding (not ChannelID). I'd like someone to double check this, but I think it is correct.
  • Token Binding - this is what we care about. And I'll explain my understanding of it, and what we can do about it below.

Token Binding is yet another proposal to more strongly authenticate clients. The basic idea is that you generate a new key pair for every origin. You send the public key to the origin. And the server associates the identification token (like a cookie) it issues to you with you public key. You receive this token. And every time you send this token back to the server you include proof that you posses your private key.

So! What is our concern here? Previously with Channel ID the authentication was happening at the TLS layer, where applications had no access. But now with token binding, the information exchanged at the TLS layer is just parameter negotiation. And it is my understanding that this is not de-anonymizing (info here). Your public key - which is the identifiable information - is sent at the application layer. So Privacy Badger should be able to intercept through the current webrequest api!

So our plan should be to identify the http headers (Sec-Token-Binding) that public keys are exchanged with. Then figure out our policy for intercepting this stuff.

@cooperq @dhowe @eshellman
@eshellman
Copy link
Author

This aligns with my understanding.
@ghostwords ghostwords added the heuristic Badger's core learning-what-to-block functionality label Mar 15, 2017
@ghostwords ghostwords mentioned this issue Apr 26, 2017
Merged
8 tasks
@ghostwords
Copy link
Member

Also see Token Binding in the Google Chrome Privacy Whitepaper doc.
@wiredrunner
Copy link

Token binding is being removed from Chromium.

https://bugs.chromium.org/p/chromium/issues/detail?id=875046

https://groups.google.com/a/chromium.org/forum/#!topic/net-dev/AjFQjBmaEQE
@ghostwords
Copy link
Member

See also:

Apparently it's also been implemented in Edge.
@ghostwords ghostwords removed this from the Privacy Badger 2.1 milestone Nov 8, 2018
@wiredrunner
Copy link

Token binding is no longer being supported in Chrome yet 'Channel ID's' are still being loaded on to Chrome.

I'd settle for something that just removed them after they were loaded. They can be removed manually by the user by going into cookies and searching for them but no chrome extension does that as part of a process.
@wiredrunner wiredrunner mentioned this issue Dec 6, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement heuristic Badger's core learning-what-to-block functionality low priority
6 participants
@cooperq @cowlicks @dhowe @ghostwords @eshellman @wiredrunner