-
Notifications
You must be signed in to change notification settings - Fork 82
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Option to block ETag tracking #104
Comments
That's a POC, post a use-case to demonstrate where it's being used currently. |
I don't have a list of use cases. According to wikipedia Hulu.com and KISSmetrics have been using ETags for tracking. Visiting Hulu.com still shows ETag in headers (and none of us could be sure how exactly that is used by the backend). Why isn't the PoC a valid reason to consider the seriousness of the problem? |
Because only code which is known to have tangible benefits for majority of users with no negative side effects will go into uBO. No actual cases means no way to assess anything. |
Well, I am not looking for an argument but if that was the right logic - Spectre and Meltdown mitigations would not be implemented at all because all that the researchers showed was a PoC. (and this just one of hundreds of examples) |
With that logic, every POC that appears, uBO must start adding functionality to counter that and that would turn uBO into Feature Creep extension. POC only shows possibility, not the actual proof of it getting ever used. This is why I asked you to post a use-case.
Those are exploits, exploits get patched. ETag tracking isn't an exploit, hence that comparison is invalid. POCs are not to be countered just because they exist. |
It is the right logic. uBO already blocks a whole lot of network requests from 3rd parties, which means I am just going to be straightforward here. I don't want the issue tracker to be a place to dump thinly researched feature requests. Meaningfully contributing means more than dumping a one-sentence idea in an issue tracker. Your other issue was pretty much nonsense. When I asked you to provide actual cases, you sidestepped the question and gave me a link to Google Analytics reference API. When I pointed out that When you focus solely on image size, you miss the point that image resources for tracking purpose can be of any size, just small enough to not be a burden, that small image sizes are not a sure sign of tracking, and there are other resource types which could be used for this, stylesheets for example. In the end, nothing that is out of reach of existing filtering capabilities. |
No, they are vulnerabilities with demonstrated PoC. Nobody has provided any actual use cases demonstrating that there is a particular software exploit taking advantage of the vulnerabilities.
Patches for Meltdown and Spectre were created asap and the PoCs were (and still are) considered seriously. They were not ignored just because no software was known to exploit them. A PoC is exactly that: a small (not always complete) practical example demonstrating that certain idea is feasible. And that usually serves very well to improve the security of a system before an actual exploit. Everyone who understands security would confirm that it is all about prevention. Otherwise we can say "Since we haven't seen the backend code of the website, let's assume there is no danger, let's be tracked, we don't even have a proof (POC) that it is bad for us". But for this one we do have a valid proof. Not sure why you are trying to diminish its significance.
What have 3rd parties to do with all this? The ETag can be delivered as first party header and the supplied link demonstrates exactly that. Consider also the additional info I found for you from Wikipedia.
I haven't seen a feature in uBO which allows to block ETag-related communication. If you can demonstrate there is such feature - then this issue is invalid. I don't need to argue since I have shown you the vulnerability. There are 2 things you can do:
You don't have any obligation to implement it. It is a polite request/suggestion, not an order.
To someone like you who surely knows how HTTP works I don't think a lot of words are necessary. You want to be straightforward - that's fine. The provided example is also straightforward. Tracking through ETags is possible and that's all that matters. The rest is up to you.
I explained exactly how it works from the very beginning. If you feel I have not clarified - please ask for specifics in the other issue and I will. |
I think this is your answer for this feature request
|
I'd like to cast my vote for this too. In researching some of the methods used by implementors of browser fingerprinting, I found that nearly all of them use the same or similar techniques. This extension, for example, has proven to be effective in every single fingerprint software I've come across. https://chrome.google.com/webstore/detail/fingerprint-spoofing/ljdekjlhpjggcjblfgpijbkmpihjfkni I checked all of the boxes to turn everything on. The only fingerprinting website I couldn't get around was Fingerprint.com (makers of Fingerprint.js). Their open source version, this extension was able to trick. But their paid version, on the demo on their site, it still produced the same visitor ID. They're an outlier though - they use some advanced techniques in addition to employing AI and determining a statistical probability of you being you. Anyway, I think if uBlock Origin could provide the option to either block, or preferably randomize, some of the same data that this extension handles, it would suffice for most users. :-) I tested 6 different fingerprint demos and only one was untrickable. 😊 Brave Browser blocks fingerprints, but that stupid WebGL, Canvas, and Font data seem to be the sneakiest methods, which Brave hasn't successfully stopped yet, probably because as you mentioned, if you simply block those settings then that still makes you unique. |
Cool, thanks!😊 I meant to also say, it might be somewhat easy block a lot of their stuff simply by blocking the URL where their JS file resizes...
// Initialize the agent at application startup.
const fpPromise = import('https://fpcdn.io/v3/user-random-id-string')
.then(FingerprintJS => FingerprintJS.load())
// Get the visitor identifier when you need it.
fpPromise
.then(fp => fp.get())
.then(result => {
// This is the visitor identifier:
const visitorId = result.visitorId
console.log(visitorId)
}) |
This is probably the best choice, since the URL where the JS is loading from could be locally hosted or ran through a different filename. |
@asheroto I don't know if you're interested in ETag but for your info, this is possible: *$script,strict1p,header=etag:"a7a61709860c0c57ec0c92584ae4f1bc214dfc71043ea43843572e55d14841f6"
*$script,strict1p,header=ETag:"a7a61709860c0c57ec0c92584ae4f1bc214dfc71043ea43843572e55d14841f6" Source: Yuki2718/adblock#45 (comment) |
I came here looking for such an ETag blocking solution, but gorhill commented above why uBO will not implement this. I now understand why uBO should not implement this, but I think it's worth re-stating the argument more succinctly for people who find their way here from Google.
So if you have concerns about first-party cookies and ETags, you will need a separate cookie blocker. |
@cbarrick It's not about implementing or not. It's about providing real-world cases where issue occurs and what is its characteristics in real websites. Because only that can we recognize and craft the pattern to find how to resolve most efficiently, and how much the resolution would affect in reality. For example, the thread @MasterKia referenced above describes the issue and proposes a solution (via
|
https://lucb1e.com/rp/cookielesscookies/ demonstrates a technique of tracking users without JS and cookies, through ETag header.
Please if possible provide an option to block this.
The text was updated successfully, but these errors were encountered: