explainers-by-googlers / Web-Environment-Integrity

538 stars 100 forks source link

What extra fingerprinting does this allow? #11

Open jyasskin opened 1 year ago

jyasskin commented 1 year ago

https://github.com/RupertBenWiser/Web-Environment-Integrity/blob/main/explainer.md#fingerprinting discusses how to prevent attesters from including lots of entropy in their responses, but what's the minimum data that this API gives away?

https://github.com/RupertBenWiser/Web-Environment-Integrity/blob/main/explainer.md#what-information-is-in-the-signed-attestation discusses what information might be included:

The attester's identity is likely to be 1:1 with the operating system, which I believe is exposed by network stack behavior, even if the browser spoofs its UA string, so that's not likely to be extra fingerprinting bits.

The verdict has at most the number of bits included in the verdict, but I think the goal is for all human users to be grouped in a single bucket, which would also remove the fingerprinting benefit?

The app identity does add fingerprinting bits, although if the particular browser has unique behavior for any web APIs, that provides the same bits that this would, meaning this wouldn't help fingerprinters beyond that baseline.

I'm not sure about the implications of the rate limiting indicator. Would it be stable across origins and time? If not, it doesn't help with fingerprinting either.

Are there any other sources that I've missed?

michaelficarra commented 1 year ago

Aside from the per-origin identifier being discussed in #2, it sounds like you've got it all. I don't expect this proposal to assist in cross-origin tracking at all.

SHAGGAR commented 1 year ago

The attestation itself might not leak info, but it would ensure that any tracking code the developer has created is not tampered with, i.e. ensuring no ad-blocker/tracking-blocker has removed ads/trackers.

workingjubilee commented 1 year ago

The attester's identity is likely to be 1:1 with the operating system, which I believe is exposed by network stack behavior, even if the browser spoofs its UA string, so that's not likely to be extra fingerprinting bits.

This doesn't take into account that:

Thus you are removing both the ability to claw back a bit of information via future network security engineering, and lowering the difficulty to "anyone can do it for essentially ~free" since the cost is knowing about a single API call. This moves it from being a somewhat obscure art to "now even fairly petty individuals can easily make websites that help them stalk others, without much effort".

And there are many case where one's "users" are people who are forced to use a given website for one reason or another, so all the discussion about holdbacks is rendered immediately irrelevant. The website can simply make itself unusable until the API call works.