Add references for Ephemeral Fingerprinting #74
Conversation
index.html
Outdated
| <section> | ||
| <h3 id="ephemeral">Ephemeral</h3> | ||
| <p><dfn>Ephemeral fingerprinting</dfn> is a technique to associate separate simultaneous sessions on a device with one another using observations of events that occurr near simultaneously on multiple origins [[?EPHEMERAL-FINGERPRINTING]]. These events are typically fired as a result of a change in hardware or environment, such as MediaDevices.devicechange [[?mediacapture-streams]].</p> | ||
| <p>Ephemeral fingerprinting is not typically a concern except in certain threat models - it is only useful when an attacker is unable to link two sessions via an active fingerprint, which would typically include the user's IP address. In certain scenarios this may not be possible - ephemeral fingerprinting can be used to link sessions between two entirely different browser applications, or between two tabs that are sent over different network connections.</p> |
There was a problem hiding this comment.
Nit: It's a little strange to talk about IP address as "active" here given the active/passive distinction defined above. Perhaps framing this as an ephemeral vs long-lived fingerprint? Device-based? Some other word that makes more sense? "Active" just seems overloaded.
There was a problem hiding this comment.
Agreed. I changed the sentence around a bit, do you think this is better?
index.html
Outdated
| <h3 id="ephemeral">Ephemeral</h3> | ||
| <p><dfn>Ephemeral fingerprinting</dfn> is a technique to associate separate simultaneous sessions on a device with one another using observations of events that occurr near simultaneously on multiple origins [[?EPHEMERAL-FINGERPRINTING]]. These events are typically fired as a result of a change in hardware or environment, such as MediaDevices.devicechange [[?mediacapture-streams]].</p> | ||
| <p>Ephemeral fingerprinting is not typically a concern except in certain threat models - it is only useful when an attacker is unable to link two sessions via an active fingerprint, which would typically include the user's IP address. In certain scenarios this may not be possible - ephemeral fingerprinting can be used to link sessions between two entirely different browser applications, or between two tabs that are sent over different network connections.</p> | ||
| <p>Ephemeral fingerprinting may be possible with complex CSS, but typically requires JavaScript and it can be done in a passive manner where JavaScript merely observes events, or it can be done in an active manner by heavily utilizing resources such as the CPU or GPU that another origin can observe. This type of attack between cooperating origins is typically referred to as a "covert channel" and there have been many papers about them using different techniques, for example [[?RENDERING-CONTENTION]]. |
There was a problem hiding this comment.
Nit: Likewise, "passive" here is strange given that it requires JavaScript execution. I get the distinction between directly reading data, and indirectly receiving information via handlers, but I feel like different words would be helpful. "Intentional"/"Unintentional"?
Nit: You closed </p> above, but not here.
There was a problem hiding this comment.
Agreed. Looking back at it, I think reactive/proactive works well. Thoughts?
There was a problem hiding this comment.
That's a good distinction, SGTM.
tomrittervg
force-pushed
the
2025-01-29-tjr-ephemeral-fingerprinting
branch
from
8d4c1b4 to
d4248a3
Compare
index.html
Outdated
| @@ -260,6 +272,12 @@ <h3 id="active">Active</h3> | |||
| <p>For <dfn>active fingerprinting</dfn>, we also consider techniques where a site runs JavaScript or other code on the local client to observe additional characteristics about the browser, user, device or other context.</p> | |||
| <p>Techniques for active fingerprinting might include accessing the window size, enumerating fonts or plug-ins, evaluating performance characteristics, reading from device sensors, and rendering graphical patterns. Key to this distinction is that <a>active fingerprinting</a> takes place in a way that is potentially detectable on the client.</p> | |||
| </section> | |||
| <section> | |||
| <h3 id="ephemeral">Ephemeral</h3> | |||
| <p><dfn>Ephemeral fingerprinting</dfn> is a technique to associate separate simultaneous sessions on a device with one another using observations of events that occurr near simultaneously on multiple origins [[?EPHEMERAL-FINGERPRINTING]]. These events are typically fired as a result of a change in hardware or environment, such as MediaDevices.devicechange [[?mediacapture-streams]].</p> | |||
There was a problem hiding this comment.
(I suggest wrapping lines so that proposed edits like this can be clearer.)
| <p><dfn>Ephemeral fingerprinting</dfn> is a technique to associate separate simultaneous sessions on a device with one another using observations of events that occurr near simultaneously on multiple origins [[?EPHEMERAL-FINGERPRINTING]]. These events are typically fired as a result of a change in hardware or environment, such as MediaDevices.devicechange [[?mediacapture-streams]].</p> | |
| <p><dfn>Ephemeral fingerprinting</dfn> is a technique to associate separate simultaneous sessions on a device with one another using observations of events that occur near simultaneously on multiple origins [[?EPHEMERAL-FINGERPRINTING]]. These events are typically fired as a result of a change in hardware or environment, such as when a <a data-cite="device-posture#device-posture-change">device's posture changes</a> or when the [=device change notification steps|set of available media devices changes=].</p> |
(See https://respec.org/xref/ to look up linking syntax.) Respec might need you to add mediacapture-streams to adjust the xref or data-cite configuration to find this. See https://github.com/speced/respec/wiki/Auto-linking-external-references.
There was a problem hiding this comment.
Thanks for these links!
I'm a little confused on some of the referencing (e.g. in the below change I don't understand why I needed to do <a data-cite="html#Worker">Worker</a> instead of just {{Worker}} when the enclosing tag has the data-cite <p class="practicedesc" data-cite="html">) but I got the desired output even if the redundancy doesn't make sense to me.
I've been force-pushing as I've been updating, but would it be better to just stack 3 or 4 fix commits on top of each other and then whoever merges it does a squash?
There was a problem hiding this comment.
It looks like this document is using a pretty old version of the Respec template, and it's missing xref: "web-platform" as recommended by https://respec.org/docs/#getting-started. Adding that lets you use {{Worker}} and {{Window}}.
You'll also see a warning in the top right that the '"respec-w3c-common" profile has been deprecated in favor of the "respec-w3c" profile'. https://respec.org/docs/#getting-started also has the new script tag, but you'll probably want to do that in a separate PR because it'll make you set the group for the document, and there may be other bits of the config that you can then delete. Feel free to ask me or mail the https://www.w3.org/community/speced-cg/ list for help.
When iterating on PRs, I generally stack several commits and expect people to squash-merge, so that people can see how I reacted to their comments. I'll rebase and force-push if upstream changes.
index.html
Outdated
| @@ -357,6 +375,9 @@ <h3>Weighing increased fingerprinting surface</h3> | |||
| <p class="practicedesc"> | |||
| What browsing contexts, resources and requests need access to a particular feature? Identifiers can often be scoped to have a different value in different origins. Some configuration may only be necessary in top-level browsing contexts. | |||
| </p> | |||
| <p class="practicedesc"> | |||
| If an event is to be fired in response to an environmental or hardware change, can that event be fired only on visible documents, and queued for firing in non-visible documents? Should it be restricted by an iframe sandbox? | |||
There was a problem hiding this comment.
Spec authors do this more reliably if we give them specific terms to hook into:
| If an event is to be fired in response to an environmental or hardware change, can that event be fired only on visible documents, and queued for firing in non-visible documents? Should it be restricted by an iframe sandbox? | |
| If an event is to be fired in response to an environmental or hardware change, | |
| only fire that event when the {{Window}}'s [=associated document=]'s [=Document/visibility state=] is "`visible`", | |
| or in {{Worker}}s whose [=WorkerGlobalScope/owner set=] includes such a {{Document}}. | |
| If background pages need to learn of the event when they're focused, | |
| also fire the event while <a data-cite="HTML#update-the-visibility-state">updating the visibility state</a>. | |
| Consider whether it should be restricted by an iframe sandbox. |
In theory, fuzzing the timing of the event can also help, but I think the WG has settled on just visible-only being enough.
tomrittervg
force-pushed
the
2025-01-29-tjr-ephemeral-fingerprinting
branch
from
d4248a3 to
c75384b
Compare
Here is a first pass at addressing #44