Hacker News new | ask | show | jobs
by brookst 406 days ago
It’s an interesting question: is it possible for JavaScript to be turing complete, able to read/write the DOM, and somehow prevent fingerprinting / tracking?

My gut says no, not possible.

Maybe we need a much lighter way to express logic for UI interactions. Declarative is nice, so maybe CSS grows?

But I don’t see how executing server-controlled JS could ever protect privacy.
4 comments
Enginerrrd 406 days ago
I've always thought there should be a way to use the browser like a condom. It should obfuscate all the things that make a user uniquely identifiable. Mouse movement/clicks/typing cadence should be randomized and sanitized a bit. And no website should have any authority whatsoever to identify your extensions or other tabs, or even whether or not your tab is open. And it certainly shouldn't allow a website to overrule your right click functionality, or zoom, or other accessibility features.
link
JSteph22 406 days ago
The obfuscation makes you more easily identifiable.
link
victorbjorklund 405 days ago
I think their idea was that it would be in the browser everyone uses.
link
Enginerrrd 405 days ago
Exactly. My thought was this should be the default configuration in the browser.
link
teo_zero 406 days ago
How so?
link
codyvoda 406 days ago
Eldo Kim

you stand out when you obviously hide

link
chii 406 days ago
only if you are the only one doing the obfuscation.

It's why tor browser is set to a specific dimension (in terms of pixel size), have the same set of available fonts etc.

link
klabb3 406 days ago
And yet you still stand out if you use tor.
link
6510 406 days ago
I don't know what it is called but if you try to open a window from a timeOut it wont work. The user has to click on something then the click even grants the permission.

You could make something similar where fingerprint worthy information cant be posted or used to build an url. For example, you read the screen size then add it to an array. The array is "poisoned" and cant be posted anymore. If you use the screen size for anything those things and everything affected may stay readable but are poisoned too. New fingerprinting methods can be added as they are found. Complex calculations and downloads might make time temporarily into a sensitive value too.

link
degamad 406 days ago
In the old days, something similar to what you're calling "poisoned" was called "tainted" [0].

In those scenarios, tainted variables were ones which were read from untrusted sources, so could cause unexpected behaviour if made part of SQL strings, shell commands, or used to assemble html pages for users. Taint checking was a way of preventing potentially dangerous variables being sent to vulnerable places.

In your scenario, poisoned variables function similarly, but with "untrusted" and "vulnerable" being replaced with "secret" and "public" respectively. Variables read from privacy-compromising sources (e.g. screen size) become poisoned, and poisoned values can't be written to public locations like urls.

There's still some potential to leak information without using the poisoned variables directly, based on conditional behaviour - some variation on

    if posioned_screenwidth < poisoned_screenheight then load(mobile_css) else load(desktop_css)
is sufficient to leak some info about poisoned variables, without specifically building URLs with the information included.

[0] https://en.wikipedia.org/wiki/Taint_checking

link
6510 404 days ago
I mean everything inside the if statement becomes tainted.

Like opening a window requires a click (in the chain of events), load() wouldn't work in a tainted conditional.

link
febusravenga 406 days ago
Yes, it is.

Just create _strict_ content security profile, which doesn't allow any external requests (fetch) and only allow load of resources (css, image, whatever) from predefined manifest.

App cannot exfiltrate any data in that case.

You may add permissions mechanisms of course (local disk, some cloud user controls, etc).

That's a big challenge in standards and not sure if anyone is working on such strongly restricted profile for web/js.

link
chongli 406 days ago
It’s an interesting question: is it possible for JavaScript to be turing complete, able to read/write the DOM, and somehow prevent fingerprinting / tracking?

Yes, of course: restrict its network access. If JS can't phone home, it can't track you. This obviously lets you continue to write apps that play in a DOM sandbox (such as games) without network access.

You could also have an API whereby users can allow the JS application to connect to a server of the user's choosing. If that API works similarly to an open/save dialog (controlled entirely by the browser) then the app developer has no control over which servers the user connects to, thus cannot track the user unless they deliberately choose to connect to the developer's server.

This is of course how desktop apps worked back in the day. An FTP client couldn't track you. You could connect to whatever FTP server you wanted to. Only the server you chose to connect to has any ability to log your activity.

link
adrr 406 days ago
There's no point. If you diaable JS. Can track you other ways, fingerprint your dns packets like timestamp clock skew and other things. With IPV6 can assign you unique ip address for a dnslookup that can function like a cookie,

Don't want to be tracked. Don't go on the internet.

link
HumanOstrich 406 days ago
Websites can't fingerprint my dns packets by their clock skew, nor can they assign me a unique IP address for a dns lookup (what?). "Don't go on the internet" isn't a great starting point to improve things.
link
adrr 405 days ago
Used to fingerprint your TCP packets when i built a large neobank. Could easily tell if you're behind a proxy, falsifying your user agent via syn numbers, and more. We used it to detect bots but it could be easily be used to fingerprint individual users. DNS trick is already used for DNS based CDNs, you can just keep refining it down to more specificity. CDN edge for each individual user.
link
waynesonfire 406 days ago
Why does it have to be a technological solution? That's what the media industry tried to do with DRM and it failed. The solution is legislation. We need the equivalent of DMCA for our privacy. Make it illegal to fingerprint.
link
chongli 406 days ago
I’m completely unsold on legislation. Another headline that recently hit the top of HN is about how Apple flagrantly ignored a court order. The judge has recommended the case for criminal contempt prosecution [1].

The comments on the story are completely unconvinced that anyone at Apple will ever be convicted. Any fines for the company are almost guaranteed to be a slap on the wrist since they stand to lose more money by complying with the law.

I think the same could be said about anti-cookie/anti-tracking legislation. This is an industry with trillions of dollars at stake. Who is going to levy the trillions of dollars in fines to rein it in? No one.

With a technological solution at least users stand a chance. A 3rd party browser like Ladybird could implement it. Or even a browser extension with the right APIs. Technology empowers users. Legislation is the tool of those already in power.

[1] https://news.ycombinator.com/item?id=43856795

link
chii 406 days ago
> The solution is legislation. We need the equivalent of DMCA for our privacy

and how does one know their privacy has been invaded? How does the user know to enforce the DMCA law for privacy?

I think the solution has to be technological. Just like encryption, we need some sort of standard to ensure all browsers are identical and unidentifiable (unless the user _chooses_ to be identified - like logging in). Tor-browser is on the right track.

link
jenadine 406 days ago
That'd be the GDPR
link
cluckindan 406 days ago
Which is only applicable in the EU
link