Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

When farbling canvas, farble across all channels #12069

Closed
Thorin-Oakenpants opened this issue Oct 9, 2020 · 14 comments · Fixed by brave/brave-core#7812
Closed

When farbling canvas, farble across all channels #12069

Thorin-Oakenpants opened this issue Oct 9, 2020 · 14 comments · Fixed by brave/brave-core#7812
Assignees
Labels
feature/shields/fingerprint The fingerprinting (aka: "device recognition") protection provided in Shields OS/Android Fixes related to Android browser functionality OS/Desktop priority/P5 Not scheduled. Don't anticipate work on this any time soon. privacy privacy-pod Feature work for the Privacy & Web Compatibility pod QA Pass - Android ARM QA Pass - Android Tab QA Pass-macOS QA/Yes release-notes/include

Comments

@Thorin-Oakenpants
Copy link

Thorin-Oakenpants commented Oct 9, 2020

Updated Issue (@pes10k edit)
Currently the canvas farbling only effects one channel. That channel is determined by the per-eTLD+1, per-session farbling seed, so the channel isn't guessable, but it is probably detectable given a determined attacker.

It might make reversing the canvas farbling slightly more difficult if the farbling was done across all channels, which would make it a bit more difficult for an attacker.

Original Issue
There is a flaw in canvas randomizing. It's not a security issue. Do you want to discuss it here, or via email, or in a private repo. I'm not talking about the per-origin, per-execution to protect the random seed. It should be a simple fix

@Thorin-Oakenpants Thorin-Oakenpants added OS/Android Fixes related to Android browser functionality OS/Desktop labels Oct 9, 2020
@srirambv
Copy link
Contributor

cc: @pes10k

@srirambv srirambv added the needs-discussion Although the issue is clear, we haven't yet reached a decision about the right solution. label Oct 12, 2020
@pes10k pes10k self-assigned this Oct 12, 2020
@pes10k pes10k added feature/shields/fingerprint The fingerprinting (aka: "device recognition") protection provided in Shields privacy privacy-pod Feature work for the Privacy & Web Compatibility pod labels Oct 12, 2020
@pes10k
Copy link
Contributor

pes10k commented Oct 12, 2020

Howdy @Thorin-Oakenpants , nice to run into you again :)

If you're in anyway not 100% sure that its not a security issue, feel free to email me at pes@brave.com and we can discuss more there. Otherwise, feel free to add your findings / concerns here and we can sort things out here.

Thanks!

@Thorin-Oakenpants
Copy link
Author

@pes10k email sent: feel free to close this (or not)

@pes10k
Copy link
Contributor

pes10k commented Oct 14, 2020

Just to keep things transparent, the concern is about how reversable canvas fingerprinting protections are (answer, not very hard to reverse!). Specifically, whether

  1. it'd be better to not just farble a single channel (determined by the seed), and instead to farble all channels
  2. whether it'd be better to not use the current per-session, per-etld approach, but instead do something shorter, like frame length seeds, to prevent tracking 1p tracking w/in the same-session

I'm going to update this issue accordingly:

  1. This would be nice to do one, but its pretty low priority
  2. I dont think we'll change this for reasons discussed over email (mainly, it makes it easier for the site to get the seed, and undo all farbling protections, not just for canvas)

Thanks again to @Thorin-Oakenpants for reporting!

@pes10k pes10k added the priority/P5 Not scheduled. Don't anticipate work on this any time soon. label Oct 14, 2020
@pes10k pes10k removed the needs-discussion Although the issue is clear, we haven't yet reached a decision about the right solution. label Oct 14, 2020
@pes10k pes10k changed the title canvas randomizing When farbling canvas, farble across all channels Oct 14, 2020
@Thorin-Oakenpants
Copy link
Author

Just to be clear: item 2 is out of scope, and was asked as an off-topic generic overall design question: @pes10k 's information in the email helps explain some of those decisions - thanks! I still think there can be changes there, but not in this ticket

@pes10k
Copy link
Contributor

pes10k commented Oct 14, 2020

Sorry, apologies @Thorin-Oakenpants , didn't mean to put words in your mouth or misstate your comments. Thank you for clarifying!

@Thorin-Oakenpants
Copy link
Author

^^ no worries: I see OP has been edited: "but it is probably detectable given a determined attacker" <- just to make that crystal clear - it is 100% detectable (with the right script), not probably

@Thorin-Oakenpants
Copy link
Author

Thorin-Oakenpants commented Oct 21, 2020

randomizing can also be completely bypassed (completely meaning zero channels are randomized) in iframes and currently offscreen worker doesn't seem to be covered: @pes10k email me if you want details, or you may already be aware of these

@pes10k
Copy link
Contributor

pes10k commented Oct 21, 2020

@Thorin-Oakenpants hmm, the iframes example is very surprising, we have tests, but we may have missed something! Same with workers! So, if there are further edge cases we need to cover, that would be very welcome!

You can see our manual test cases here too, fwiw (there are of course automated tests we have in CI too), though you'll need to be in nightly to see everything we expect to be covered. There are somethings tested in these tests that are not yet implemented, but most of it is.

https://dev-pages.brave.software/farbling.html

TL;DR; Yes, more details / sunlight you can offer, the more thats appreciated!

@pes10k
Copy link
Contributor

pes10k commented Feb 2, 2021

Closing this out because we now also determine which channel to farble depending on on the seed, which will prevent the attacker from knowing which channels are unmodified and which are farbled. Thanks for the issue @Thorin-Oakenpants !

@pes10k
Copy link
Contributor

pes10k commented Feb 2, 2021

@Thorin-Oakenpants pointed out some techniques sites could use to determine which channel is being farbled in the current implementation (thanks!). After discussing, I'm convinced we should do as the issue suggested, and farble across all channels. I'll follow up with a possible PR. Thanks!

@pes10k
Copy link
Contributor

pes10k commented Feb 4, 2021

for QA, there are new, per channel tests on https://dev-pages.brave.software/farbling.html

@pes10k pes10k added this to the 1.22.x - Nightly milestone Feb 6, 2021
@stephendonner
Copy link

Verified FIXED on the beta channel using

Brave 1.22.51 Chromium: 89.0.4389.72 (Official Build) beta (x86_64)
Revision 3f345f156bfd157bd1bea06310e55f3fb2490359-refs/branch-heads/4389@{#1393}
OS macOS Version 11.2.2 (Build 20D80)

Verified that the values per channel (∟ red channel, etc.) do all of the following:

  1. differ per origin, so https://dev-pages.brave.software/farbling.html and https://dev-pages.bravesoftware.com/farbling.html have different values when shields are up (this is the “there site” link at the top of the page, for reference)

Shields up, dev-pages.brave.software/farbling.html vs. dev-pages.bravesoftware.com/farbling.html:

Screen Shot 2021-03-03 at 11 30 31 AM

Shields down, dev-pages.brave.software/farbling.html vs. dev-pages.bravesoftware.com/farbling.html:

Screen Shot 2021-03-03 at 11 33 21 AM

  1. differ per browser session (so if you quit the browser and come back, you should get different values, on both origins)

Shields up, restart, dev-pages.brave.software/farbling.html vs. dev-pages.bravesoftware.com/farbling.html:

Screen Shot 2021-03-03 at 11 45 48 AM

  1. differ from the shields down version (which should be the same cross origin, cross session)

Shields down, restart, dev-pages.brave.software/farbling.html vs. dev-pages.bravesoftware.com/farbling.html:

Screen Shot 2021-03-03 at 11 48 35 AM

In addition to the screenshots, I've captured the values, below; SU = Shields up, SD = Shields down

Shields up - brave.software Shields up - bravesoftware.com Shields down - brave.software Shields down - bravesoftware.com SU, restart, brave.software SU, restart, bravesoftware.com SD, restart, brave.software SD, restart, bravesoftware.com
red 72009bc3 d971e672 68ede59d 68ed59d 5e30861d 4daf9c46 68ed59d 68ed59d
green 44a7bda2 e633f8ab f8d9ea89 f8d7ea89 bbc842c7 fb0f2ad7 f8d7ea89 f8d7ea89
blue 391c891f 691556c2 a68c1dac a68c1dac 9735d809 4b8da15b a68c1dac a68c1dac

@srirambv
Copy link
Contributor

srirambv commented Mar 4, 2021

Verification passed on OnePlus 6T with Android 10 running 1.22.51 x64 build

Case 1: Shields Up, same value
image image
Case 2: Shields Up, different value on restart
image image
Case 3: Shields Down, same value
image image
Case 4: Shields Down, same value on restart
image image

Verification passed on Samsung Tab A with Android 10 running 1.22.51 x64 build

Case 1: Shields Up, same value
image image
Case 2: Shields Up, different value on restart
image image
Case 3: Shields Down, same value
image image
Case 4: Shields Down, same value on restart
image image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature/shields/fingerprint The fingerprinting (aka: "device recognition") protection provided in Shields OS/Android Fixes related to Android browser functionality OS/Desktop priority/P5 Not scheduled. Don't anticipate work on this any time soon. privacy privacy-pod Feature work for the Privacy & Web Compatibility pod QA Pass - Android ARM QA Pass - Android Tab QA Pass-macOS QA/Yes release-notes/include
Projects
None yet
5 participants