Javascript was a mistake, #9001: https://www.wired.com/story/web-deanonymization-side-channel-attack-njit/
🔜fosdem
@p
> Instead, the hack analyzes subtle features of a potential target’s browser activity to determine whether they are logged into an account for an array of services, from YouTube and Dropbox to Twitter, Facebook, TikTok, and more. Plus the attacks work against every major browser, including the anonymity-focused Tor Browser.
It's not a hack, it's called Single-Sign-On :)
And it's been known for years.
Interestingly, BadWolf is effectively immune, new tabs have a separated ephemeral session.
> Instead, the hack analyzes subtle features of a potential target’s browser activity to determine whether they are logged into an account for an array of services, from YouTube and Dropbox to Twitter, Facebook, TikTok, and more. Plus the attacks work against every major browser, including the anonymity-focused Tor Browser.
It's not a hack, it's called Single-Sign-On :)
And it's been known for years.
Interestingly, BadWolf is effectively immune, new tabs have a separated ephemeral session.
@m0xee @p Except not really.
The advertised case is about 5 *permanent* containers, maybe few ephemeral ones, IIRC that's with an extension.
Meanwhile where, the number on the tab easily goes beyond 52 after few days, together with also often cleaning tabs as there is virtually no latency in doing so.
I don't think anyone could do this on firefox without redoing the interface or keybindings, which is probably a pain in the ass.
And if they're anything close to me, their memory usage would be going to the roof because I never clean tabs in firefox except via just creating a new window and closing the old one.
The advertised case is about 5 *permanent* containers, maybe few ephemeral ones, IIRC that's with an extension.
Meanwhile where, the number on the tab easily goes beyond 52 after few days, together with also often cleaning tabs as there is virtually no latency in doing so.
I don't think anyone could do this on firefox without redoing the interface or keybindings, which is probably a pain in the ass.
And if they're anything close to me, their memory usage would be going to the roof because I never clean tabs in firefox except via just creating a new window and closing the old one.
@lanodan @p No, of course they don't isolate each tab, that would be trouble. You can assign which container the tab uses manually. This way if you log in to Facebook in the Facebook container, cookies and persistent data can't get outside. It's like using a different profile, but all within one browser instance. That is why it should be immune only if used properly. If all your tabs use the default container — it's not.
@p @lanodan Of course! I have media larger than 8Kb, third party fonts and scripts blocked by default in UBO and only enable them when I absolutely must.
Ideally, you should have IP routes set only to the servers you want to connect to and not have the default route. But maybe that's a bit overkill 😅
@m0xee @p Blocking at IP level is sadly currently using a bazooka to kill a swarm of mosquitoes.
I tried blocking cloudflare, it didn't last: https://hacktivis.me/articles/blocking%20cloudflare%20IP-range%20be%20like
I tried blocking cloudflare, it didn't last: https://hacktivis.me/articles/blocking%20cloudflare%20IP-range%20be%20like
@p @m0xee Yeah, VPN providers are probably even worse.
I could sue my ISP if it would do any shit and they also have to follow the local laws.
Suing a VPN provider? You might as well sue a dead person.
And a lot of them can follow *any* law they want, even worse than Facebook law HQ being Santa-Clara but taxes HQ being Ireland. (Forcing Facebook into EU would be funny given GDPR :D)
I could sue my ISP if it would do any shit and they also have to follow the local laws.
Suing a VPN provider? You might as well sue a dead person.
And a lot of them can follow *any* law they want, even worse than Facebook law HQ being Santa-Clara but taxes HQ being Ireland. (Forcing Facebook into EU would be funny given GDPR :D)
@lanodan @m0xee
> VPN providers are probably even worse.
In the case of Epik's VPN, NordVPN, "probably" can be changed to "provably".
> Suing a VPN provider? You might as well sue a dead person.
Such a mess.
> Forcing Facebook into EU would be funny given GDPR
That's the great thing about GDPR: it's absurd enough be costly, but it's also easy enough to ignore if you are small. There was that one provision that allowed that guy to get Facebook to send him a 900-page printout of all the data they had on him, that was hilarious.
> VPN providers are probably even worse.
In the case of Epik's VPN, NordVPN, "probably" can be changed to "provably".
> Suing a VPN provider? You might as well sue a dead person.
Such a mess.
> Forcing Facebook into EU would be funny given GDPR
That's the great thing about GDPR: it's absurd enough be costly, but it's also easy enough to ignore if you are small. There was that one provision that allowed that guy to get Facebook to send him a 900-page printout of all the data they had on him, that was hilarious.
@p @m0xee
> There was that one provision that allowed that guy to get Facebook to send him a 900-page printout of all the data they had on him, that was hilarious.
Yeah, Max Schrems, which is founder or something of https://noyb.eu/en
He done it multiple times btw.
> There was that one provision that allowed that guy to get Facebook to send him a 900-page printout of all the data they had on him, that was hilarious.
Yeah, Max Schrems, which is founder or something of https://noyb.eu/en
He done it multiple times btw.
@p @m0xee bluetooth shit?
I heard of supermarkets tracking people with wifi.
But well, I don't have a smartphone and I don't go in supermarkets, they've always been mischievous assholes, last time I went there was returning a gas ~rubber pipe that was very nearly expired and I just bought.
Glad I checked the date before opening the package and that in EU there is mandatory free 15-days return.
I heard of supermarkets tracking people with wifi.
But well, I don't have a smartphone and I don't go in supermarkets, they've always been mischievous assholes, last time I went there was returning a gas ~rubber pipe that was very nearly expired and I just bought.
Glad I checked the date before opening the package and that in EU there is mandatory free 15-days return.
@lanodan @m0xee
> bluetooth shit?
Yeah, not just wifi but Bluetooth pings. Any radio. In the US, it's currently illegal to do this with cell network stuff, but there are a lot of antennas on a person nowadays.
Did I tell you when I worked across the street from the Beverly Wilshire? There's some paparazzi operation that runs out of there, they were, at the time, making Pringles yagis for their Bluetooth antennas and then using those to capture MAC addresses, which they could confirm at public events. So the politician or celebrity (or their friends, or anyone in their security detail), if they had a Bluetooth device, these guys could tell what room of the hotel they were in and who they were there with.
> bluetooth shit?
Yeah, not just wifi but Bluetooth pings. Any radio. In the US, it's currently illegal to do this with cell network stuff, but there are a lot of antennas on a person nowadays.
Did I tell you when I worked across the street from the Beverly Wilshire? There's some paparazzi operation that runs out of there, they were, at the time, making Pringles yagis for their Bluetooth antennas and then using those to capture MAC addresses, which they could confirm at public events. So the politician or celebrity (or their friends, or anyone in their security detail), if they had a Bluetooth device, these guys could tell what room of the hotel they were in and who they were there with.
Do you even want to answer the phone while doing something outside?