Closed ghost closed 1 year ago
cc @ShivanKaul
This is an update for flaw 3, which is about OTR sites and how I noticed it "can store and leave data behind".
First, I want to say I was mistaken, now I understand the problem. I claimed that Brave should use Ephemeral Storage to isolate it, well, Brave is using Ephemeral Storage to isolate the storage!
Now... the problem is that it is flawed how it works, and that's why I thought it wasn't and was doing some other 'magic' like what Forgetful Browsing does things.
Sites that clear cookies when you close them
, the problem about that is that it only works in the site where you are clicking Proceed Off-The-Record
, any subsequent websites a person visits, will not be isolated, that's why if a person goes to a sensitive site, and then decided to use a search engine or facebook or gmail or anything else, then, they will not be protected anymore.And that's the big flaw I noticed about OTR, OTR assumes a person will only use one site and only one site to seek help or access sensitive information or something like that, it doesn't take into account links that open in different tabs, any subsequent website a person might use like a search engine.
When I am using a tab that is being OTR, I get a message You're browsing this website in Off-The-Record mode.
but then, only the first site that was OTR, is the only one getting its storage isolated.
The problem doesn't stop there though because:
Sites that clear cookies when you close them
, when the site doesn't have any previous data stored in the browser, and that's not good, a site should be added regardless if it had or not previously any user data stored or not.Of course, in my case, like I said, I used Requestly to make any website get OTRed, which makes this issue pretty obvious.
Any site being OTR should be isolated, and any link opened from a OTR website should be isolated and OTR as well.
I recorded my screen to try to show this issue in a cleared way than words, I used Requestly, not a site from preloaded list, I did this, because preloaded list might work differently, like with the TypedURLs flaw I explained as well. and OTR feature, should work the same in any OTR site, regardless if it is in the preloaded list or not. I also don't know which sites in the preloaded list store data. or have toggles or anything to properly test flaw number 3, like I can do by using Brave Search.
In the end, Brave Team should make the necessary testing to make sure it covers all necessary scenarios, and like I said, I understand some limitations will always exists, I hope OTR feature gets improved to a really good spot.
Sites that clear cookies when you close them
but no subsequent website is added, leaving stored data behind.https://github.com/brave/brave-browser/assets/122518587/c03cb8c3-9009-4dab-a6ef-69a3b9a9bf8a
if I had a Facebook account and it was logged, that account would have been accessed normally, even if the OTR is supposed to be an isolated environment.
That happens because like I said, when a website already has data stored in the Browser, then it doesn't get added to Sites that clear cookies when you close them
list, and therefore the normal persistent storage will be used and then any change or any logged account or anything, will be used instead of being isolated in the Ephemeral Storage.
https://github.com/brave/brave-browser/assets/122518587/01644a3f-e6bc-4946-9a73-d0f150498570
https://github.com/brave/brave-browser/assets/122518587/e6712554-27e7-42b0-a2c8-4235f16ecb0d
Hi @Emi-TheDhamphirInLoveUnderTheFrozenStar, thanks for raising this comprehensive issue. Just a couple of things:
It would be really helpful if you could split this issue up into multiple ones, which would help us fix them. If not, I can take a crack once I'm back next week.
@ShivanKaul I will split flaws 2+ in different issues with proper titles and updated information and all that, to make it better. Since I made my investigation about it like the second comment explaining the whole issue with the user data and ephemeral storage.
But I just found another issue with OTR, about how Preloaded/Partners list only working in the Default profile, and not in other profiles Profile1, 2, etc. so the feature surely needs polishing.
Thank you!
@ShivanKaul Finished making the issues as requested:
Hope all titles are decently enough, but now it should be easier to track and reproduce and see what can be improved about OTR feature.
Thank you and have a good day.
Thanks! We'll go through that list and prioritize.
@pilgrim-brave
OTR feature was presented in this blog post by Brave https://brave.com/privacy-updates/26-request-off-the-record/ to be a way for people to access websites and still stay hidden in case of sensitive information like violence victims, the problem is the feature is flawed and could easily reveal a lot of what is intended to be hidden/removed, which would mean a risk for real victims using it in case they forgot doing it through InPrivate windows.
For example:
The problem it is still not doing it correctly in some areas.
First, I must mention I got interested in this feature, not because of the whole violence victims subject, but because I used Requestly to modify the response header be able to use it in all websites I wanted, and that way being able to avoid writing some websites to history without using InPrivate window, and that's how I found about these flaws, which should be fixed if they are meant for victims or anything related to sensitive information.
☰
->History
as Recently ClosedYou can even see how 'sensitive content' is displayed there, which can be easily clicked and go to the website and find out what was the person looking at. But also you can easily see after OTR it also displays the full name with even the Favicon, on it, so that means OTR websites don't get completely removed if Favicons stay on the DB.
The problem is bigger than just some favicons anyway, but how the Tabs and Sessions manager records every little step we do, and that means anyone could easily do a
Ctrl+Shift+T
and bring back the past history or click on the 'recently closed' button and do it that way. Ctrl+Shift+T will go further than what the Menu -> History shows. and that's the biggest flaw about this.Watch this video to understand what I mean, basically all I do is, go to tallpoppy -> brave -> make a search (brave search). and I could easily go back even after the browser is closed, making it so easy for anyone to know what sites you visited, especially if they are shown with the favicon in Menu -> History as shown in my screenshot.
https://github.com/brave/brave-browser/assets/122518587/0e99d3fc-61ee-4c9c-ab78-9202a63f3845
Of course, just making a
tallpoppy
content in files search in my 3rd party file manager in the clear Brave's User Data will easily bring even the favicons, session and tabs manager and cache and all. So that means a lot of information is not removed about it compared to InPrivate windows.I know
"media_engagement":
and"site_engagement":
is being fixed with https://github.com/brave/brave-browser/issues/31394, but no talks about other files like favions, I mean, some files are harder to read like0b1c8782a7be8171_0
inCode Cache/js
can only be accessed with a raw view, so they are not as serious, but it could still be improved, because we have to understand this is an alternative to InPrivate window, where nothing like this would leak.https://github.com/brave/brave-browser/assets/122518587/6f3392a4-d858-4daf-a18e-93d89cc6e273
as you can see tallpoppy facebook will be recorded in history and if nobody but the victim uses facebook, it would rise questions why there is Facebook in the user data.
The third flaw I see in this is that even though, Data is not being stored in the User Data, the problem comes when the sites already have a User Data in place. I don't know why Brave team didn't decide to use Ephemeral Storage to isolate OTR storages, but to explain this. You are in a search engine like Brave Search, today to find photos and videos, you need to click Bing or Google, the default behavior is
Remember my choice
is checked, so it will write a cookieextimages = bing
. (ignore the fact that the Bing will open in a new tab please, just understand the example), anyone who has used Brave Search would easily notice the change, and then question what was the person searching for, if we add the 2. flaw, where Bing would open in a separated window and therefore no OTR, then it would easily expose the victims intentions. The Data will get updated when an existing data already exists, it doesn't get isolated from changes, like if a person can get help through an email, how are they going to log in to Gmail or Hotmail without being easily detected, especially if the 'partner' uses the same email service? the smartest way would have been to use Ephemeral Storage on 1p and 3p like you can do with theSites that clear cookies when you close them
setting, you can log in and manipulate websites and change their settings but they never write to the persistent normal storage, they are completely separated which would make it easier to avoid information leakage.the fourth flaw I found was how OTR websites will not work when the browser is opened, the problem here is obvious, but for example, a victim doesn't close the page but closes the browser, remembers it and decided to open the browser again to close the page, now the page is recorded in history and the Data was added as well and everything becuase OTR didn't work 'fast enough'.
https://github.com/brave/brave-browser/assets/122518587/fb52e88a-a51e-449a-b511-63d8a875f59e
Request-OTR: 1
to the Response Header in all websites. Since websites can implement this feature without being in the preloaded or partners list, this problem of TypedURLs being recorder, should occur when websites use the header implementation. I think since the browser doesn't know it the site being requested is a OTR until it reads the header, then it doesn't know it didn't have to record the TypedURLs. Of course, I used an extension to add theRequest-OTR: 1
but I doubt my theory is incorrect since it is what makes sense for the browser to since preloaded list makes sure the browser knows not to record TypedURLs, while random website having OTR in the header doesn't, until the header is loaded, and that would be a risk if a website is not in the preloaded/partners list because the item will be there, right in the omnibox as suggestion. It should be properly tested with a proper website and not an extension, to know if my assumption is correct or not though. But here is the videohttps://github.com/brave/brave-browser/assets/122518587/bd62ff65-b91e-42f2-9ae6-6120ab21fdcc
Maybe many of these issues can't be avoidable, like tallpoppy showing in so many files after being OTR, but many, like Session/Tabs manager have to be fixed to make this safe for people if they need to really use this feature for the purposed it was showed in the blog, where they might really need to avoid any information being easily leaked to truly protect them. There are other issues like when a victim has to use the search engine which will not be OTR, being exposed how the person might be seeking help, but I hope this information can improve this great and promising feature. We have to think there might be extreme cases where even using a computer is a risk for a victim, and someone might be able to tell easily by a setting being changed, so the best and more polished this feature is, the better and safer to use for what it was shown in the Blog.
Thank you and thank you for your work.