Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Supercookies tracking #14025

Closed
pachainti opened this issue Feb 7, 2021 · 13 comments
Closed

Supercookies tracking #14025

pachainti opened this issue Feb 7, 2021 · 13 comments
Labels
Chromium/waiting upstream Issue is in Chromium; we'll likely wait for the fix closed/not-actionable feature/cookies feature/shields/cookies Cookie controls implemented as part of Shields. OS/Android Fixes related to Android browser functionality priority/P3 The next thing for us to work on. It'll ride the trains.

Comments

@pachainti
Copy link

Hi,
brave on desktop is able to block supercookies tracking while brave for android does not.
The behaviour has been tested with the latest version of brave 1.19.92 on both android 9 and 10 with armv7 and armv8 CPU.

@pachainti pachainti added the OS/Android Fixes related to Android browser functionality label Feb 7, 2021
@srirambv
Copy link
Contributor

srirambv commented Feb 8, 2021

cc: @pes10k

@srirambv srirambv added feature/cookies feature/shields/cookies Cookie controls implemented as part of Shields. labels Feb 8, 2021
@pes10k
Copy link
Contributor

pes10k commented Feb 8, 2021

@fmarier is there any reason your fix wouldn't apply to Android?

@fmarier
Copy link
Member

fmarier commented Feb 8, 2021

There was nothing desktop-specific in our fix.

When I test this on Android, I get a different ID in normal tabs v. private tabs, so that tells me that this is working on Android too.

@pachainti
Copy link
Author

Hi,
I made several tests. The protection works well GNU/Linux, but does not work on both windows 10 2004 and macOS link.

@pachainti
Copy link
Author

There was nothing desktop-specific in our fix.

When I test this on Android, I get a different ID in normal tabs v. private tabs, so that tells me that this is working on Android too.

Yes, this works. However, if you close and open brave, it provides the same ID.

@fmarier
Copy link
Member

fmarier commented Feb 9, 2021

Yes, this works. However, if you close and open brave, it provides the same ID.

That's expected. You need to clear the cache for the favicons to go away.

Without clearing the cache, there are other simpler ways for a malicious first party to continue to track you. No need for a supercookie in this case.

@pachainti
Copy link
Author

Yes, this works. However, if you close and open brave, it provides the same ID.

That's expected. You need to clear the cache for the favicons to go away.

Without clearing the cache, there are other simpler ways for a malicious first party to continue to track you. No need for a supercookie in this case.

If this is expected, the behaviour on GNU/Linux is not congruent. Why?
Could ephemeral site storage help?

@fmarier
Copy link
Member

fmarier commented Feb 10, 2021

If this is expected, the behaviour on GNU/Linux is not congruent. Why?

When I test the following on GNU/Linux:

  1. Start the browser (I used brave-browser-stable).
  2. Load https://demo.supercookie.me/ in a normal window and write down the ID.
  3. Close the browser.
  4. Repeat Steps 1 and 2.
  5. Compare the two IDs.

I get the same ID.

If you're getting different IDs, you may be clearing cache/cookies at exit. Check these two settings:
Screenshot from 2021-02-10 11-49-09
Screenshot from 2021-02-10 11-49-20

@fmarier
Copy link
Member

fmarier commented Feb 10, 2021

Could ephemeral site storage help?

No, that's a web compatibility enhancement to work-around problems due to the fact that we block third-party storage in Brave.

The expected behavior for these favicon supercookies is that the ID will change when:

  • you move from a normal window to a private window
  • you clear your cache and cookies

This is first-party tracking, which can also be done trivially via cookies and via the HTTP cache. So unless you clear your cache & cookies you don't need to use favicons to get a stable identifier for a given user.

@pachainti
Copy link
Author

You are right, I have third party cookies blocked.
Are you planning to partition HTTP cache, image cache, favicon cache, HSTS cache, OCSP cache, style sheet cache, font cache, DNS cache, HTTP Authentication cache, Alt-Svc cache, and TLS certificate cache as firefox does since version 85+?

@fmarier
Copy link
Member

fmarier commented Feb 11, 2021

The Chromium team is working on cache partitioning similar to Firefox's implementation: https://docs.google.com/document/d/1V8sFDCEYTXZmwKa_qWUfTVNAuBcPsu6FC0PhqMD6KKQ/edit

Brave will inherit this change as well once it's ready.

@anthonypkeane anthonypkeane added the Chromium/waiting upstream Issue is in Chromium; we'll likely wait for the fix label May 5, 2021
@anthonypkeane anthonypkeane added the priority/P3 The next thing for us to work on. It'll ride the trains. label May 19, 2021
@pachainti
Copy link
Author

The Chromium team is working on cache partitioning similar to Firefox's implementation: https://docs.google.com/document/d/1V8sFDCEYTXZmwKa_qWUfTVNAuBcPsu6FC0PhqMD6KKQ/edit

Brave will inherit this change as well once it's ready.

Now brave has Network State Partitioning.

@pes10k
Copy link
Contributor

pes10k commented Jan 20, 2022

Yep, as @pachainti mentioned, Brave now has protections against this category of attack. We've rolled out what Chromium implements, added some additional protections that Chromium currently lacks (but which we're trying to upstream), and protections against new kinds attacks that Brave's research team found in Chromium.

Thanks everyone for keeping our feet to the flame here!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Chromium/waiting upstream Issue is in Chromium; we'll likely wait for the fix closed/not-actionable feature/cookies feature/shields/cookies Cookie controls implemented as part of Shields. OS/Android Fixes related to Android browser functionality priority/P3 The next thing for us to work on. It'll ride the trains.
Projects
None yet
Development

No branches or pull requests

5 participants