New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Privacy Badger maintains a separate, plain-text list of e̶v̶e̶r̶y̶ ̶d̶o̶m̶a̶i̶n̶ ̶y̶o̶u̶'̶v̶e̶ ̶e̶v̶e̶r̶ ̶v̶i̶s̶i̶t̶e̶d̶ some visited domains #1064

Closed
pjlsergeant opened this Issue Dec 14, 2016 · 15 comments

Comments

Projects
None yet
6 participants
@pjlsergeant

pjlsergeant commented Dec 14, 2016

With reference to:

#1049 (comment)

These domains are retained on your local device while Privacy Badger remains installed; note that for all pages visited on a given domain, only the top level domain will be stored.

I suspect this does not match users' expectations at all. Would it be at least possible to hash them securely, and also make it clear to users that this behaviour is occuring?

@Acharvak

This comment has been minimized.

Show comment
Hide comment
@Acharvak

Acharvak Dec 14, 2016

I agree, there should be an option to hash the domains. But only an option—if it slows the browser down, I'd prefer no hashing.

What's more concerning is the fact that it appears to also remember URLs I've visited in Private mode. Perhaps it would be reasonable not to remember these (at least not by default), restrict new tracker identification to non-private windows.

Acharvak commented Dec 14, 2016

I agree, there should be an option to hash the domains. But only an option—if it slows the browser down, I'd prefer no hashing.

What's more concerning is the fact that it appears to also remember URLs I've visited in Private mode. Perhaps it would be reasonable not to remember these (at least not by default), restrict new tracker identification to non-private windows.

@trs-eric

This comment has been minimized.

Show comment
Hide comment
@trs-eric

trs-eric Dec 14, 2016

There's no way hashing would be secure. A rainbow table could decode the list trivially.

trs-eric commented Dec 14, 2016

There's no way hashing would be secure. A rainbow table could decode the list trivially.

@Sebb767

This comment has been minimized.

Show comment
Hide comment
@Sebb767

Sebb767 Dec 14, 2016

@bitJericho You could use a salt depending on the user and/or browser. Or simply randomly generate one when the extension is installed.

Sebb767 commented Dec 14, 2016

@bitJericho You could use a salt depending on the user and/or browser. Or simply randomly generate one when the extension is installed.

@trs-eric

This comment has been minimized.

Show comment
Hide comment
@trs-eric

trs-eric Dec 14, 2016

@Sebb767 I don't think this would resolve the issue. If an attacker has your local database, the attacker would have your salts.

trs-eric commented Dec 14, 2016

@Sebb767 I don't think this would resolve the issue. If an attacker has your local database, the attacker would have your salts.

@ghostwords

This comment has been minimized.

Show comment
Hide comment
@ghostwords

ghostwords Dec 14, 2016

Member

Please see #266 for previous discussion.

Member

ghostwords commented Dec 14, 2016

Please see #266 for previous discussion.

@Acharvak

This comment has been minimized.

Show comment
Hide comment
@Acharvak

Acharvak Dec 14, 2016

The result of the discussion in #266 was that any form of hashing would still let the attacker know if you've visited a certain site if he has your database (by hashing the domain of that website and checking if it's in your database).

But I do believe there is some merit in hashing, because it would stop potential attackers, who, e.g.:

  • Search all files on your computer for certain strings, but don't check for (salted) hashes (the Evil Empire is mass-searching citizens' computers for any references to www.rebelalliance.net)
  • Don't know what they are looking for, but "know it when they see it" (your wife has noticed that the computer screen is unlocked, decides to take a peek at your database and notices that you have www.male-bondage-submission-dating.com in it, even though she previously didn't know it even existed).

In any case, I do think websites visited in Private windows shouldn't be put into the database. It is especially important in Firefox, where you can't selectively prevent add-ons from running in Private mode, unlike in Chrome.

Acharvak commented Dec 14, 2016

The result of the discussion in #266 was that any form of hashing would still let the attacker know if you've visited a certain site if he has your database (by hashing the domain of that website and checking if it's in your database).

But I do believe there is some merit in hashing, because it would stop potential attackers, who, e.g.:

  • Search all files on your computer for certain strings, but don't check for (salted) hashes (the Evil Empire is mass-searching citizens' computers for any references to www.rebelalliance.net)
  • Don't know what they are looking for, but "know it when they see it" (your wife has noticed that the computer screen is unlocked, decides to take a peek at your database and notices that you have www.male-bondage-submission-dating.com in it, even though she previously didn't know it even existed).

In any case, I do think websites visited in Private windows shouldn't be put into the database. It is especially important in Firefox, where you can't selectively prevent add-ons from running in Private mode, unlike in Chrome.

@ghostwords

This comment has been minimized.

Show comment
Hide comment
@ghostwords

ghostwords Dec 14, 2016

Member

Private mode browsing should not be getting recorded in any way by Privacy Badger. If it is, that's a bug. (Previously: #829.)

Member

ghostwords commented Dec 14, 2016

Private mode browsing should not be getting recorded in any way by Privacy Badger. If it is, that's a bug. (Previously: #829.)

@Sebb767

This comment has been minimized.

Show comment
Hide comment
@Sebb767

Sebb767 Dec 14, 2016

I'm also pro hashing. Assuming the salt is stored in chrome local storage:

  • The attacker would need to have access to the list as well as to the chrome local storage (I'm not sure if the list is saved there, too).
  • An attacker would have a much harder time to profile someone. You might be able to get a few common ones (Google, GitHub, YouTube, ...) but you need to do a lot of cracking to find every website I frequent. Also, it makes mass attacks on privacy badger much harder.
  • It prevents domain leakage. A potential attacker can not deduce that https://secret-dev.google.com exists when the files are hashed.
  • Plus all the points named by @Acharvak .

Different topic, you need to notify the user that privacy badger doesn't learn in private browsing mode. I know a few people who exclusively use private browsing mode and they should know that they either need to allow PB to learn in private mode or it's of no use for them.

Sebb767 commented Dec 14, 2016

I'm also pro hashing. Assuming the salt is stored in chrome local storage:

  • The attacker would need to have access to the list as well as to the chrome local storage (I'm not sure if the list is saved there, too).
  • An attacker would have a much harder time to profile someone. You might be able to get a few common ones (Google, GitHub, YouTube, ...) but you need to do a lot of cracking to find every website I frequent. Also, it makes mass attacks on privacy badger much harder.
  • It prevents domain leakage. A potential attacker can not deduce that https://secret-dev.google.com exists when the files are hashed.
  • Plus all the points named by @Acharvak .

Different topic, you need to notify the user that privacy badger doesn't learn in private browsing mode. I know a few people who exclusively use private browsing mode and they should know that they either need to allow PB to learn in private mode or it's of no use for them.

@Acharvak

This comment has been minimized.

Show comment
Hide comment
@Acharvak

Acharvak Dec 14, 2016

Private mode browsing should not be getting recorded in any way by Privacy Badger. If it is, that's a bug.

I've retested. Now it isn't happening anymore. I may have been careless during my initial test, I guess, sorry about the false alarm.

Acharvak commented Dec 14, 2016

Private mode browsing should not be getting recorded in any way by Privacy Badger. If it is, that's a bug.

I've retested. Now it isn't happening anymore. I may have been careless during my initial test, I guess, sorry about the false alarm.

@ghostwords

This comment has been minimized.

Show comment
Hide comment
@ghostwords

ghostwords Dec 14, 2016

Member

@Acharvak No problem!

Agree that the way domains are stored locally for the purposes of heuristic learning, and how private browsing is handled by Privacy Badger are both issues worth revisiting. Good point that some people use Private Browsing mode exclusively! I suggest opening a new issue for each distinct proposal.

Member

ghostwords commented Dec 14, 2016

@Acharvak No problem!

Agree that the way domains are stored locally for the purposes of heuristic learning, and how private browsing is handled by Privacy Badger are both issues worth revisiting. Good point that some people use Private Browsing mode exclusively! I suggest opening a new issue for each distinct proposal.

@pde

This comment has been minimized.

Show comment
Hide comment
@pde

pde Dec 15, 2016

Member

Reopening #266; I think we should definitely do some version of that.

Member

pde commented Dec 15, 2016

Reopening #266; I think we should definitely do some version of that.

@pde

This comment has been minimized.

Show comment
Hide comment
@pde

pde Dec 15, 2016

Member

Also I'm going to change the title of this bug, since PB2 doesn't store every domain you've ever visited; it stores the first two first party domains on which you've seen a given third party. After that, it's counted to three and it blocks the third party.

Member

pde commented Dec 15, 2016

Also I'm going to change the title of this bug, since PB2 doesn't store every domain you've ever visited; it stores the first two first party domains on which you've seen a given third party. After that, it's counted to three and it blocks the third party.

@pde pde changed the title from Privacy Badger maintains a separate, plain-text list of every domain you've ever visited to Privacy Badger maintains a separate, plain-text list of e̶v̶e̶r̶y̶ ̶d̶o̶m̶a̶i̶n̶ ̶y̶o̶u̶'̶v̶e̶ ̶e̶v̶e̶r̶ ̶v̶i̶s̶i̶t̶e̶d̶ some visited domains Dec 15, 2016

@pde pde added the duplicate label Dec 15, 2016

@pjlsergeant

This comment has been minimized.

Show comment
Hide comment
@pjlsergeant

pjlsergeant Dec 15, 2016

I think one big issue you need to address here is that if I wipe my history, this isn't wiped. I can understand why, but this behaviour needs to be made much more explicit.

pjlsergeant commented Dec 15, 2016

I think one big issue you need to address here is that if I wipe my history, this isn't wiped. I can understand why, but this behaviour needs to be made much more explicit.

@pde

This comment has been minimized.

Show comment
Hide comment
@pde

pde Dec 15, 2016

Member

@pjlsergeant agreed! I think we can do a much better job. I'm inclined to work on this over in #266; would you be fine with closing this ticket as a duplicate of #266, and moving to technical discussion in that issue?

Member

pde commented Dec 15, 2016

@pjlsergeant agreed! I think we can do a much better job. I'm inclined to work on this over in #266; would you be fine with closing this ticket as a duplicate of #266, and moving to technical discussion in that issue?

@pjlsergeant

This comment has been minimized.

Show comment
Hide comment
@pjlsergeant

pjlsergeant Dec 15, 2016

@pde Although I like the immediacy of the title on this one, that's probably the right thing to do. Closed, as a duplicate of #266

pjlsergeant commented Dec 15, 2016

@pde Although I like the immediacy of the title on this one, that's probably the right thing to do. Closed, as a duplicate of #266

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment