logoalt Hacker News

sodality2yesterday at 8:04 PM1 replyview on HN

Side channels that enable intended behavior, versus a flat-out bug like the above, though the line can often be muddied by perspective.

An example that comes to mind that I've seen is an anonymous app that allows for blocking users; you can programmatically block users, query all posts, and diff the sets to identify stable identities. However, the ability to block users is desired by the app developers; they just may not have intended this behavior, but there's no immediate solution to this. This is different than 'user_id' simply being returned in the API for no reason, which is a vulnerability. Then there's maybe a case of the user_id being returned in the API for some reason that MIGHT be important too, but that could be implemented another way more sensibly; this leans more towards vulnerability.

Ultimately most fingerprinting technologies use features that are intended behavior; Canvas/font rendering is useful for some web features (and the web target means you have to support a LOT of use cases), IP address/cookies/useragent obviously are useful, etc (though there's some case to be made about Google's pushing for these features as an advertising company!).

Replies

tomrittervgtoday at 3:05 AM

> Ultimately most fingerprinting technologies use features that are intended behavior

Strong disagree.

> IP address/cookies/useragent obviously are useful

Cookies are an intended tracking behavior. IP Address, as a routing address, is debatable.

> Canvas/font rendering is useful for some web features

These two are actually wonderful examples of taking web features and using them as a _side channel_ in an unintended way to derive information that can be used to track people. A better argument would be things like Language and Timezone which you could argue "The browser clearly makes these available and intends to provide this information without restriction." Using side channels to determine what fonts a user has installed... well there's an API for doing just that[0] and we (Firefox) haven't implemented it for a reason.

n.b. I am Firefox's tech lead on anti-fingerprinting so I'm kind of biased =)

[0] https://developer.mozilla.org/en-US/docs/Web/API/Local_Font_...