Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fingerprinting protection #44

Merged
merged 4 commits into from
Mar 16, 2018
Merged

fingerprinting protection #44

merged 4 commits into from
Mar 16, 2018

Conversation

yrliou
Copy link
Member

@yrliou yrliou commented Feb 22, 2018

This PR implements canvas, WebGL, WebRTC, AudioContext/AudioBuffer fingerprinting protection which is disabled by default.
Allowing and blocking all fingerprinting are implemented, allowing 3rd-party fingerprinting is not supported yet.

Tests:

  • Canvas & WebGL
    Use https://panopticlick.eff.org/ to test, the hash value of canvas & webgl fingerprinting should be the same as below when fingerprinting protection is enabled, and the shield panel should show 2 fingerprinting methods blocked.
    canvas: cf04c1dcb26ef79705764e5c22d0e711
    webgl: undetermined
  • WebRTC IP leakage: IP shouldn't be detected in https://browserleaks.com/webrtc
  • AudioContext/AudioBuffer: Fingerprint using DynamicsCompressor, OscillatorNode, and Fingerprint using hybrid of OscillatorNode/DynamicsCompressor method should be empty or 0 in https://audiofingerprint.openwpm.com/

fixes: brave/brave-browser-snap#11
requires: brave/brave-extension#11

@@ -342,6 +343,11 @@ bool HTMLCanvasElement::ShouldBeDirectComposited() const {
}

bool HTMLCanvasElement::IsPaintable() const {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

does isPaintable correspond to whether the canvas element is writable? Currently we block reading from the canvas when fingerprintingProtection is enabled, but we still allow writing to the canvas. I think blocking write is going to cause more webcompatibility issues since I imagine there are legitimate apps that only write to the canvas and never read it (but not vice versa). not sure though

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bridiver wanted it this way but he's on vacation this week, so we might have to wait a bit for a response.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think what isPaintable mainly does for fingerprinting protection is blocking toDataURL and toBlob, but it seems some info could still be read from canvas&webgl without using toDataURL/toBlob.
And since this patch is no longer applicable because of C65 upgrade, I went ahead revising the implementation to blocking canvas/webgl read functions while rebasing.
I'll push the revised implementation for review in a sec.

@bbondy bbondy requested a review from bridiver February 28, 2018 07:23
@bbondy
Copy link
Member

bbondy commented Feb 28, 2018

cc @bridiver to give feedback when you're back.

@yrliou yrliou force-pushed the fingerprinting_protection branch from 4a4a0af to 73b9f45 Compare March 6, 2018 07:15
peer_handler_.reset();
}

+bool RTCPeerConnection::AllowFingerprinting() {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we make this a static method in a src/brave header file to minimize the patch size? Passin the LocalFrame maybe?

@yrliou yrliou changed the title Canvas & WebGL fingerprinting protection fingerprinting protection Mar 7, 2018
@yrliou
Copy link
Member Author

yrliou commented Mar 7, 2018

@diracdeltas @bridiver PR is updated, please review it again, thanks.
I'll squash and rebase commits after.

@pes10k
Copy link
Contributor

pes10k commented Mar 9, 2018

Two thoughts / comments

One, it might be worth slightly changing the structure, to pass some id for each feature, to a larger "should block" function, that could be used in the future to implement more complex "should this be blocked" policies.

Two, this doesn't use the current "return a self-trapping" proxy approach. From my pre-Brave measurements, using the proxy approach was useful for preventing some site breakage. Not so much for these specific methods, but for others that might be candidates for blocking / restricting going forward.

@yrliou
Copy link
Member Author

yrliou commented Mar 10, 2018

Thanks for the comments, @snyderp.

I think passing IDs is doable under current structure and would be useful when we need this info in the future such as reporting more details or providing more fine-grained controls. Though I would prefer to not include this in this PR and add it later when we develop those features in the future.

Not so sure about what you mean by the proxy approach, do you mean the one we have in browser-laptop repo which was written in JS?

@diracdeltas
Copy link
Member

@yrliou yup, there was a proxy approach to fingerprinting added in brave/browser-laptop#10287 to reduce breakage

i don't think it's necessary for this PR though

@diracdeltas
Copy link
Member

does this also block SVG tracking (brave/browser-laptop#10288) and webrtc IP leaks (test page: https://diafygi.github.io/webrtc-ips/)?

diff --git a/third_party/WebKit/Source/modules/canvas/canvas2d/CanvasRenderingContext2D.cpp b/third_party/WebKit/Source/modules/canvas/canvas2d/CanvasRenderingContext2D.cpp
index 94de909f954d2f4638a89aa37575e39626989ae8..af75c5cab46c04cef8ccb39fcc88f7b8b6631ee5 100644
--- a/third_party/WebKit/Source/modules/canvas/canvas2d/CanvasRenderingContext2D.cpp
+++ b/third_party/WebKit/Source/modules/canvas/canvas2d/CanvasRenderingContext2D.cpp
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

does this also need to block getImageData and getLineDash?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, I missed these two methods in the first place, thanks for pointing it out!

@yrliou
Copy link
Member Author

yrliou commented Mar 14, 2018

@diracdeltas SVG is not added yet, but webrtc IP is already covered.
I'll take a look of SVG classes and add them into this PR if it is a trivial change.

@yrliou
Copy link
Member Author

yrliou commented Mar 14, 2018

I'll add SVGTextContentElement::getComputedTextLength and SVGPathElement::getTotalLength tonight along with rebase & squash commits.

@yrliou yrliou force-pushed the fingerprinting_protection branch from babae6b to d23bfc6 Compare March 15, 2018 06:51
@yrliou
Copy link
Member Author

yrliou commented Mar 15, 2018

canvas2D's getImageData, getLineDash and above two SVG methods are added.

}

-const Vector<double>& BaseRenderingContext2D::getLineDash() const {
+const Vector<double>& BaseRenderingContext2D::getLineDash(ScriptState* script_state) const {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Per slack discussion with @bridiver, move canvas blocking into BaseRenderingContext2D to cover OffscreenCanvasRenderingContext2D & PaintRenderingContext2D.

data.ReadAutoplayRules(&out->autoplay_rules) &&
- data.ReadClientHintsRules(&out->client_hints_rules);
+ data.ReadClientHintsRules(&out->client_hints_rules) &&
+ data.ReadFingerprintingRules(&out->fingerprinting_rules);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you can make this patch a little smaller by adding it before the last item

void BraveSpecificDidBlockJavaScript(
const base::string16& details);

void BraveSpecificDidBlockFingerprinting(
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we don't need BraveSpecific here. I think that was just added to the JavaScript one to differentiate it from the standard DidBlockJavaScript method

Copy link
Collaborator

@bridiver bridiver left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

++

@bridiver bridiver merged commit 27aa17b into master Mar 16, 2018
@bbondy
Copy link
Member

bbondy commented Mar 16, 2018

Congratulations on the merge, amazing work! 💯

@yrliou yrliou deleted the fingerprinting_protection branch March 16, 2018 22:04
NejcZdovc pushed a commit that referenced this pull request Dec 10, 2018
initialize independently of wallet creation
bbondy pushed a commit that referenced this pull request Feb 18, 2019
do not show badge text if there are no resources blocked
tmancey pushed a commit that referenced this pull request Feb 27, 2019
* Initial commit

* Added SetTimer and OnTimer

* Added missing #include for wallet_info data structure

* Added catalog issuers data structure

* Added OnCatalogIssuersChanged

* Added OnTimer

* Changed LOG to BLOG due to conflicts with base::

* wip, builds

* build w/ all class code

* port steps 1-5

* match server regex update

* Integration for brave-core

* Temporarily use std::cout instead of BLOG due to build issues

* Resolve linking issue with IsReadyToShowAds

* Only start filling confirmations, retrieving payments and cashing in payments once initialized

* Revert "Temporarily use std::cout instead of BLOG due to build issues"

This reverts commit 7baad78.

* Refactor to use callbacks

* Improve logging to help diagnose issues

* Confirmations fails to initialize when creating a new wallet (#42)

* Improve logging to help diagnose issues (#43)

* Confirmations fails to initialize when creating a new wallet (#44)

* Ads Serve failures should retry (#45)

* Resolves initiating profile DCHECK failure (#47)

* Improve logging to help diagnose issues (#48)

* Fix unit test build errors #53 (#54)

* Changes to how unblind and BatchDLEQProof::verify are being called in challenge-bypass-ristretto-ffi

* Decouple refill tokens

* Decouple redeem token

* Decouple payout tokens

* Added Ads Serve helper

* Decouple security into security helper

* Updated static values

* Updated BUILD.gn

* Refactor ConfirmationsImpl to use decoupled logic

* Added string helper

* Remove unused HappyHTTP dependency

* Add support for _is_production flag to choose between production and staging environments

* refactor dependencies

* Decoupled unblinded tokens and url request builder for unit tests

* Resolve compiler errors and decouple logic in preparation for unit testing

* Added unit tests

* Fix build for Windows/Linux

* Fix linter errors

* Confirmations should not be initialized if the wallet is invalid

* Removed unecessary boolean logic

* Return if wallet info is not ready

* Fix build error

* Fix header files

* Fix unit tests

* Remove redundant #include for unblinded_tokens.h

* Fixed unit test #include paths

* Revert "Remove redundant #include for unblinded_tokens.h"

This reverts commit 35f055e82f0a22428c600360a75336351f34458d.

* Remove redundant #include for unblinded_tokens.h

* Fixed unit test #include paths

* Refactor new to unique_ptr for unit tests

* Remove logging for unit tests

* Resolved lint error

* Added README.md

* Fixed linter errors

* Fix Linux and Windows build errors

* Resolve logging issue with wallet info

* Add support for VLOG to help reduce noise in logs for INFO

* Added ability to retrieve transaction history

* Fixed build error and refactored ctime to use base::Time

* Redeem tokens when notifications are viewed

* Update client when transaction history changes

* Reduced maximum persisted unblinded tokens from 100 to 50

Reduced maximum persisted unblinded tokens from 100 to 50 to reduce the chance that the server fails to generate the tokens before the next request. If the server still does not generate the tokens in time we retry after 15 seconds.

* Updated Copyright in BUILD.gn

* Updated README.md

* Revert "Merge pull request #75 from brave-intl/issues/52"

This reverts commit fc7de34, reversing
changes made to 211e767.

* Fixed unit tests
fmarier pushed a commit that referenced this pull request Oct 29, 2019
split patches w/ no "deleted" patch
petemill pushed a commit that referenced this pull request Jul 27, 2020
split patches w/ no "deleted" patch
petemill pushed a commit that referenced this pull request Jul 28, 2020
split patches w/ no "deleted" patch
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants