Javascript was a mistake, #9001: https://www.wired.com/story/web-deanonymization-side-channel-attack-njit/

@p
> Instead, the hack analyzes subtle features of a potential target’s browser activity to determine whether they are logged into an account for an array of services, from YouTube and Dropbox to Twitter, Facebook, TikTok, and more. Plus the attacks work against every major browser, including the anonymity-focused Tor Browser.

It's not a hack, it's called Single-Sign-On :)
And it's been known for years.

Interestingly, BadWolf is effectively immune, new tabs have a separated ephemeral session.

@lanodan @p Firefox has this "containers" that keep cookies and persistent data isolated. Should be immune too if used properly.

@m0xee @p Except not really.

The advertised case is about 5 *permanent* containers, maybe few ephemeral ones, IIRC that's with an extension.

Meanwhile where, the number on the tab easily goes beyond 52 after few days, together with also often cleaning tabs as there is virtually no latency in doing so.

I don't think anyone could do this on firefox without redoing the interface or keybindings, which is probably a pain in the ass.
And if they're anything close to me, their memory usage would be going to the roof because I never clean tabs in firefox except via just creating a new window and closing the old one.

@lanodan @p No, of course they don't isolate each tab, that would be trouble. You can assign which container the tab uses manually. This way if you log in to Facebook in the Facebook container, cookies and persistent data can't get outside. It's like using a different profile, but all within one browser instance. That is why it should be immune only if used properly. If all your tabs use the default container — it's not.

@m0xee @lanodan ...Or just avoid JS and null-route malicious networks (Facebook, Google, ad networks, etc.). This works cross-browser, cross-system, and eliminates this entire class of vulnerability instead of having to wade through the swamp to spot-weld a million holes.

@p @lanodan Of course! I have media larger than 8Kb, third party fonts and scripts blocked by default in UBO and only enable them when I absolutely must.
Ideally, you should have IP routes set only to the servers you want to connect to and not have the default route. But maybe that's a bit overkill 😅

@m0xee @p Blocking at IP level is sadly currently using a bazooka to kill a swarm of mosquitoes.

I tried blocking cloudflare, it didn't last: https://hacktivis.me/articles/blocking%20cloudflare%20IP-range%20be%20like

@lanodan @p Yep, sadly, this breaks a lot of things.
What also irks me is that a lot of websites including websites of companies that should be about privacy, like VPN providers, use reCAPTCHA. This is just wrong in every possible way 🤬

@m0xee @lanodan

> companies that should be about privacy, like VPN providers

"Should" is a mistake; they have no reason to. Tor.

@p @m0xee Yeah, VPN providers are probably even worse.

I could sue my ISP if it would do any shit and they also have to follow the local laws.

Suing a VPN provider? You might as well sue a dead person.
And a lot of them can follow *any* law they want, even worse than Facebook law HQ being Santa-Clara but taxes HQ being Ireland. (Forcing Facebook into EU would be funny given GDPR :D)

@lanodan @m0xee

> VPN providers are probably even worse.

In the case of Epik's VPN, NordVPN, "probably" can be changed to "provably".

> Suing a VPN provider? You might as well sue a dead person.

Such a mess.

> Forcing Facebook into EU would be funny given GDPR

That's the great thing about GDPR: it's absurd enough be costly, but it's also easy enough to ignore if you are small. There was that one provision that allowed that guy to get Facebook to send him a 900-page printout of all the data they had on him, that was hilarious.

@p @lanodan @m0xee VPN's won't protect people from browser fingerprinting. Something that was once attempted to be explained to the Epik guy....very slowly.

@ins0mniak @p @m0xee I don't think it's worth taking the time to explain it to some people.

There will always be people that think it's a good idea to reroute all their communications to whatever fad of the day, and then not even learn when it turns out it was a false company done by a three-letter agency.
Or these days people who think it's great to have a microphone, door camera, … connected to a mothership.

What should be done instead is making sure people *ignore* them, as they have no idea what they're talking about.

And I totally would sue people in my town, specially neighbors if they would install an Amazon Ring.

@lanodan @ins0mniak @p No one's using VPN to avoid browser fingerprinting I think. It still prevents your ISP from spying on you, helps circumvent georestrictions, countrywide IP blocks, etc.

@m0xee @ins0mniak @p A VPN is an ISP, they can also entirely spy on you and in fact I would say they have much more incentive to do so since they're the kind of thing that can be easily created from nothing.

And I don't know for the freedomination land that is USA but in France and probably most of Europe, it is *illegal* for an ISP to spy on you.
So for an European perspective, a scam ISP like those VPN is effectively harmful.

@lanodan @ins0mniak @p Yeah, but don't forget about countries like China, Russia, etc.
You can't sue shit there and some guy in Zurich spying on you is still more trustworthy than ISP having direct connection to the KGB 😆

@m0xee @ins0mniak @p
For places like China and Russia you're quite doomed.
Specially as they tend to make VPNs illegal or restricted to the kind where it's just to access a corporate subnet.

Can VPNs help in those countries?
Maybe, but at the same time, they entirely could sneak keyloggers into your devices.

@lanodan @ins0mniak @p They can if you use them in a barebones way e.g. openvpn configuration, not the "apps".
And of course you have to take ll the other measures.