-
-
Notifications
You must be signed in to change notification settings - Fork 381
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
I don't think Privacy Badger considers tracking via TLS token ids. #1135
Comments
Indeed it is not, though I'm not sure that there is a way for us to track this in the chrome API. It is probably worth filing a bug in chrome and firefox to fix this so that we can detect and block this sort of tracking. |
you should be able to partly address this by cookie blocking the top domains that shouldn't be tracking at all - gstatic.com, googleapis.com, etc. I've not gotten anything back on my chrome bug report (focused on channel ID UI); I don't know enough about the API to file a bug on that aspect. |
@eshellman do you have a link to your chrome bug report? |
I reported it to Google fonts as a security issue and got a case number [9-3181000015161] but no link. I reported it to Chromium as a privacy issue but received no response at all. |
Since google uses this anti-feature I doubt we will get them to do
anything about it.
…On 01/25/2017 06:41 PM, eshellman wrote:
I reported it to Google fonts as a security issue and got a case number
[9-3181000015161] but no link. I reported it to Chromium as a privacy
issue but received no response at all.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#1135 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAD91XeqVlvaHpTcoIXqJsCCRAjRvPy-ks5rWAfZgaJpZM4LjNKx>.
|
If Privacy Badger can address the issue, it would be appropriate for EFF to make some noise about it for the corresponding release. |
Agreed |
I poked the chromium devs, and got a response. I'm still decoding what it actually means. https://bugs.chromium.org/p/chromium/issues/detail?id=467312#c23 |
any update on this? |
not from my end. |
Disclaimer: this is all new to me, so I'm probably getting something wrong. I think there are a few things being confused here, so I'll try to straighten them out: token binding, channel id, token ids, origin bound certificates. A quick explanation of these:
Token Binding is yet another proposal to more strongly authenticate clients. The basic idea is that you generate a new key pair for every origin. You send the public key to the origin. And the server associates the identification token (like a cookie) it issues to you with you public key. You receive this token. And every time you send this token back to the server you include proof that you posses your private key. So! What is our concern here? Previously with Channel ID the authentication was happening at the TLS layer, where applications had no access. But now with token binding, the information exchanged at the TLS layer is just parameter negotiation. And it is my understanding that this is not de-anonymizing (info here). Your public key - which is the identifiable information - is sent at the application layer. So Privacy Badger should be able to intercept through the current webrequest api! So our plan should be to identify the http headers ( |
This aligns with my understanding. |
Token binding is being removed from Chromium. https://bugs.chromium.org/p/chromium/issues/detail?id=875046 https://groups.google.com/a/chromium.org/forum/#!topic/net-dev/AjFQjBmaEQE |
See also: Apparently it's also been implemented in Edge. |
Token binding is no longer being supported in Chrome yet 'Channel ID's' are still being loaded on to Chrome. I'd settle for something that just removed them after they were loaded. They can be removed manually by the user by going into cookies and searching for them but no chrome extension does that as part of a process. |
With the implementation of TLS Token Binding in Chrome and in Google services, Privacy Badger should consider "channel ids" to be the equivalent of non-expiring ID cookies. See https://tools.ietf.org/html/draft-ietf-tokbind-https-07#page-17 Advertising companies already have started to use this to replace conventional tracking cookies. OS X Chrome saves the token ids in an SQLite file at "~/Library/Application Support/Google/Chrome/Default/Origin Bound Certs"
The text was updated successfully, but these errors were encountered: