search

dhowe / AdNauseam

AdNauseam: Fight back against advertising surveillance
GNU General Public License v3.0
4.59k stars 191 forks source link

ChannelID cookies allowed on Ad visits #602

Open dhowe opened 8 years ago

dhowe commented 8 years ago

Origin Bound Certificates (aka ChannelID) are persistent self-signed certificates identifying the client to an HTTPS server, envisioned as the future of session management on the web. A separate certificate is generated for every newly encountered domain and reused for all connections initiated later on.

By design, OBCs function as unique and stable client fingerprints, essentially replicating the operation of authentication cookies; they are treated as “site and plug-in data” in Chrome, and can be removed along with cookies.

Uncharacteristically, sites can leverage OBC for user tracking without performing any actions that would be visible to the client: the ID can be derived simply by taking note of the cryptographic hash of the certificate automatically supplied by the client as a part of a legitimate SSL handshake.

ChannelID is currently suppressed in Chrome in “third-party” scenarios (e.g., for different-domain frames).

Import the following ad to reproduce:

{

  "https://www.google.com.hk/?gfe_rd=cr&ei=U1ofWOWTEq7Y8ge9g4EQ#q=credit+card": {

    "google.com.hk::www.hangseng.com/enjoycard::享全年折扣優惠及賺2x enJoy Dollars ,網上申請可享高達$300 enJoy Dollars::恒生enJoy卡永久免年費 - hangseng.com‎": {
      "id": 7,
      "attempts": 0,
      "visitedTs": 0,
      "attemptedTs": 0,
      "contentData": {
        "title": "恒生enJoy卡永久免年費 - hangseng.com‎",
        "text": "享全年折扣優惠及賺2x enJoy Dollars ,網上申請可享高達$300 enJoy Dollars",
        "site": "www.hangseng.com/enjoycard"
      },
      "contentType": "text",
      "title": "恒生enJoy卡永久免年費 - hangseng.com‎",
      "resolvedTargetUrl": null,
      "foundTs": 1478449752801,
      "targetUrl": "https://www.google.com.hk/aclk?sa=L&ai=DChcSEwjS0J3CxpTQAhWJALwKHWoSCQ4YABAG&sig=AOD64_1Wf4eiYqkQAYkZOixfOd_MAk7bnA&q=&ved=0ahUKEwiQ1JrCxpTQAhVIyrwKHZUZCUgQ0QwILQ&adurl=",
      "pageTitle": "Google",
      "pageUrl": "https://www.google.com.hk/?gfe_rd=cr&ei=U1ofWOWTEq7Y8ge9g4EQ#q=credit+card",
      "errors": null,
      "current": true,
      "pageDomain": "google.com.hk",
      "version": "2.3.83",
      "targetDomain": "google.com.hk"
    }
  }
}
dhowe commented 8 years ago

screen shot 2016-11-07 at 8 51 43 pm

screen shot 2016-11-07 at 8 57 53 pm

Note: this seems to be a Google (and related companies: doubleclick, dartsearch.net, etc.) specific issue. Chrome blocks these when cookies are being blocked, but doesn't appear to allow an extension any option to block.

  1. Need to verify that this is set only on first visit to Google, then reused each time as the paper describes
  2. Also need to verify that Channel ID cookies are blocked when 3rd-party cookies are disabled in the browser (they are when all cookies are blocked, and should be in both cases)...

One (dirty) option for handling these would be to temporarily add the domain to browser's blocked cookie list, as done in cookie remover addon, and/or to clear the cookies for the domain after the request/response is finished...

In any case, I am pushing this to 3.2...

dhowe commented 7 years ago

See this PrivacyBadger ticket with some additional info: https://github.com/EFForg/privacybadger/issues/1135

dhowe commented 7 years ago

Need to some research into how these can be blocked