konklone
commented
9 years ago Also, thanks to @gboone and @msecret for discovering this during an audit of 18F's third party service surface area.
Closed konklone closed 9 years ago
konklone
commented
9 years ago Also, thanks to @gboone and @msecret for discovering this during an audit of 18F's third party service surface area.
konklone
commented
9 years ago This issue has not been resolved in 2.0, though one of the bugs was addressed:
- [x] Make the
youtube.comping conditional on whetherYOUTUBEis set totrueorfalse.- [x] Default
YOUTUBEtofalse, requiring users who want YouTube tracking to placeyt=truein their<script>tag URL.- [ ] Fix #13, which forces the ping to
youtube.comto occur over an HTTPS channel, significantly mitigating (though not eliminating) the privacy and security ramifications of hitting a third party domain.
The logic bug has been addressed, making the YouTube ping appropriately conditional on whether the YOUTUBE config flag (as set by yt=true or yt=false) is set to true.
However, YOUTUBE still defaults to true, meaning that it is still the case that the DAP will always ping YouTube unless participants take explicit action to turn it off. I consider this issue unresolved.
tdlowden
commented
9 years ago default to false now covered in most recent version.
konklone
commented
9 years ago I can verify: this issue has been resolved. The DAP now only pings YouTube if yt=true is passed as an argument.
Thanks to the DAP team for prioritizing this fix! And thanks to @msecret for finding it in the first place.
Right now, the DAP defaults to tracking YouTube player activity:
To support YouTube tracking, the DAP script injects a
<script>tag that points to the YouTube API:This causes the browser of any user visiting a site that participates in the DAP to ping
youtube.com:This means
youtube.comis getting pinged whether or not the site wants YouTube player tracking, or whether it even uses YouTube videos at all. This is a needless piece of privacy leakage -- and additional attack surface -- for a site that participates in the DAP. It's made worse by #13, which allows the ping to occur over plain HTTP.The
YOUTUBEflag can be disabled by addingyt=falseto the<script>tag URL. However, this does not prevent youtube.com from being pinged. TheYOUTUBEflag is only used to determine whether some subsequent initialization should take place.To sum up:
yt=falseand theYOUTUBEflag do not change whether or notyoutube.comis pinged by visitors' browsers.YOUTUBEflag is set totrueby default. So even if (1) were addressed, the DAP would still cause participating sites to pingyoutube.comwhether or not the site owner was interested or aware of the ability to track YouTube player activity.The following things are necessary to address this:
youtube.comping conditional on whetherYOUTUBEis set totrueorfalse.YOUTUBEtofalse, requiring users who want YouTube tracking to placeyt=truein their<script>tag URL.youtube.comto occur over an HTTPS channel, significantly mitigating (though not eliminating) the privacy and security ramifications of hitting a third party domain.A couple of other things worth doing afterwards:
youtube.comon every page that references the YouTube-enabled DAP snippet -- not just pages that have YouTube videos on them. Additionally, suggest to DAP participants that they should consider the privacy and security impact of unnecessary requests to third party domains when deciding whether to opt-in.youtube.comping could be, even when explicitly enabled, further made conditional on whether a YouTube video is present on the page. I can see several potential complications with this (if YouTube videos are embedded dynamically on the page after initial page load, or if the DAP script is executed before the HTML of the page has completed downloading), but perhaps it's simpler than I imagine.This is a user privacy and security issue that I hope the DAP will address in its next release.