Analyze and improve privacy of browser traces (history) of GlobaLeaks embedded

[fpietrosanti]

This ticket is to analyze and improve privacy of browser traces (history) of GlobaLeaks embedded.

The goal is to identify possible privacy weakness (such as history items) and to address fixes, so that in a Whistleblower browser client, when using GlobaLeaks in embedded mode there will be no trace at all.

Improvement of the documentation shall be done on how to integrate it properly, in a privacy preserving way.

[fpietrosanti]

Iframe may leave history traces, depending on browsers, depending on the way they are called: http://khaidoan.wikidot.com/iframe-and-browser-history http://www.icodeguru.com/webclient/ajax-hacks/0596101694/ID-65038.HeadA.Hack_37.html

There are tricks to replace/change the item in the history entry leaved by iframe src loading: http://davejlong.com/iframes-and-your-browser-history/ https://github.com/tkyk/jquery-history-plugin/issues/11

Interesting the "history.js" https://github.com/browserstate/history.js/issues/43

Interesting the HTML5 History API https://developer.mozilla.org/en-US/docs/Web/API/History_API

Note: It could be further explored if it's possible to use History record change for any kind of GlobaLeaks sites, also in non-embedded mode, enabling the administrator to specify what shall be written in the browser history? For example, all globaleaks visited website, can write in the history that the user visited www.google.com ?

[evilaliv3]

@fpietrosanti i find this really interesting given the improvement it will provide in relation to the forensic traces left on the browser whenever the platform is injected as iframe.

in general my concenr is: both the ifram mode and the javascript client plugin we are going to develop won't offer any visual feedback to the user through the statusbar/url bar of the browser; how are we thinking to deal with this issue? (p.s. the issue is already existing in the current embedded mode).

[fpietrosanti]

Tools for browser forensics for testing:

• http://security.stackexchange.com/questions/11473/what-are-some-recommended-open-source-tools-for-web-browser-history-analysis
• Mandiant Redline (formerly Web Historian) https://www.fireeye.com/services/freeware/redline.html
• BrowsingHistoryView v1.77 - View browsing history of your Web browsers www.nirsoft.net/utils/browsing_history_view.html
• Odessa (only IE) http://odessa.sourceforge.net/

Others such as Netanalisys www.digital-detective.net/digital-forensic-software/netanalysis/ has been suggested but cost too much. We can rely on friends in forensic community to have some commercial tool testing too

[evilaliv3]

Autocomplete disabled on relevant inputboxes: https://github.com/globaleaks/GlobaLeaks/commit/45449bf192facb53c4fdd2b4428be9db883bf673

[NSkelsey]

To determine some of the identifiable information GL leaves around in the browser, with you could use the EFF's panopticlick tool with a clean VM

The process would be: 1) Initialize a clean system (no fonts, no browser history) 2) visit panopticlick generate finger print (and record it) 3) visit GL site 4) visit panopticlick 5) compare finger prints

[evilaliv3]

@NSkelsey: the intent of this ticket is to research which are the traces left on the browser while visiting the platform in general and specifically via https://github.com/globaleaks/GlobaLeaks/blob/master/client/app/js/plugin.js;

from the tests of panopticlick (https://panopticlick.eff.org/about) eventually the only one that is relevant to me is the Font test.

do you foresee that something other may be useful too?

[NSkelsey]

No, I agree with you. I think leaving behind fonts is the thing we will get out of panopticlick. So its less useful than I thought :-/

Initiatives with custom fonts will be leaving traces though. . . not sure if anybody does this, but it is not obvious that you should not have a custom font in your CSS.