JavaScript, that once promised to be so useful, has become the tool of choice for the wonderful surveillance dystopia we live in…
A year ago, I tried for a few months to use the Web without any JavaScript running. If it was fine on a few selected (and, unsurprisingly, privacy respecting websites) it was… close to impossible everywhere else, including state/government/public services websites. That’s the first thing I would want to change if we were to take back some control/privacy: official/public services should not rely on privacy invasive tools.
I wonder if it’s possible to selectively limit it to certain libraries or function calls, disabling the rest.
For general use, it’s almost impossible, but I found it very doable to have a browser without js in the phone, for reading stuff. Turns out most news and informational sites are readable without js.
canvasblocker ublockorigin privacybadger
about:config ->
-> javascript.options.shared_memory = FALSE
-> privacy.firstparty.isolate = TRUE
-> privacy.partition.network_state = TRUE
-> privacy.partition.network_state.oscp_cache= TRUE
-> privacy.partition.network_state.oscp_cache.pbmode = TRUE
-> privacy.partition.serviceWorkers = TRUE
-> privacy.reduceTimerPrecision = TRUE
-> privacy.resistFingerprinting.reduceTimerPrecision.jitter = TRUE
-> privacy.resistFingerprinting.reduceTimerPrecision.microseconds = 1000 … or… more?
… might do something to stymie this?
From the paper:
We assume default configurations for the operating system and browser.
Well I have no idea what the ‘default configuration’ of … Linux … is…
But uh, theoretically this is something you could harden against by going balls to the wall with security preferences and options in firefox, waterfox, librewolf, ironfox, something like that… maybe?
Also, its maybe possible that using a seperate container for each seperate tab could also stymie this.
Yeah I apparently missed all this but yeah, there seems to have been a significant hubub of basically… wait why do we even need this at all?
To satisfy lazy corporate web devs who can’t be bothered to use existing APIs properly?
That’s basically my take after after a light review of reading several threads in various places around this, over the last few years.
Interesting ideas in here, particularly the timer precision
Waterfox seems to already have a default of 1000 microseconds, if… I think, you go with ‘strict’ privacy settings option?
So on the one hand, a very brief perusal of the paper shows that the method needs like, sub 200 timings to work well.
On the other hand… I have no idea if the exploit method effectively circumvents the way this timing speed limit actually works.
I basically just sped read everything lol.
So, you’re saying you only needed one timer?
Mullvad browser maybe better for this than librewolf?
Potentially?
Maybe?
I would not call myself an expert here, I don’t… dev webbrowsers, more like I’m a privacy minded power user.
I’m literally just spitballing, I can guarantee nothing.
Maybe if I did a full crash course over like a month or two, I could have what I would call a ‘semi-informed’ opinion.
Because mullvad based on torbrowser which known very fingerprint resistant.
Today in “why the fuck is that an API?”
I give up. I’m throwing my computers away. Goodbye everyone
Never give up.
Never surrender.
See my other comment.
By Grabthor’s Hammer, you’re right.
Then, by running those interactions through a pretrained convolutional neural network—a system that uses deep learning to analyze text, audio, and images—the attacker can deduce various apps and websites open on the device.
This smells like total bullshit. I’m not going to read the paper, but another part of this article seems to identify latency as the sole inputs. If it were really so groundbreaking then where’s the demo I can run myself?
Too groundbreaking for a demo. But if you pay 9,99 by month we run it for you and tell you the result.
Its not bs, pattern analysis of large data sets is literally exactly what LLMs excel at.
Human language is way way way more complex and arbitrary and inconsistent than if you train or use a model to only need to consider a defined kind of data output that follows strict rules precisely, as you’d have in a structured cache of memory.
The demo is also apparently on the way, I believe they said in the paper or the article that they’re working toward showing off / making available an actual working example.
There have been previous exploits and methods sort of similar to this kind of ‘timing as a spy’ method, that can literally discern useful information based only on the minute timing variations of overall power draw from a wall socket a system is plugged into, insane shit like that.
Joke’s on them. I have an HDD.
That doesn’t seem right, there are so many variables that go into io scheduling… this wouldn’t work in many use cases
Well now I don’t seem so crazy for having a minimum of 100 tabs open at any one time.
Surely past a certain point it just becomes white noise
The bad news is that the article says
One of the best ways to prevent FROST attacks is to close tabs as soon as they’re no longer needed
Leaving the tabs open just gives them more opportunities to track you.
or, no tabs at all. Let the window manager tab browser sessions instead. Isolated/jailed, ofc…
Nah, that’s not gonna do anything for this given it is looking at the I/O characteristics of your SSD, it doesn’t need any permissions to do this, it’s basically just copying stuff in its own sandbox and pulling data from analysing the transfer characteristics.
Unless for every site you want to visit you install a fresh SSD, with a new installation of a browser and you only ever visit a given site from its dedicated browser and SSD, and do nothing else with it. (This is not limited to figuring out just what sites you’re visiting, but also what applications you’re ruining)
The alternative is something similar to what I suggested which is to basically ensure your SSD is spammed with accesses so it’s very hard to pull out the individual signals.
It’s similar to a VPN connection. If someone is particularly interested in you, they can look at the pattern of VPN transfer traffic. If you open a connection and then go straight to a website and nothing else, it’s relatively trivial for a determined enough adversary to take a fingerprint of the transfer sizes and timings. Enough times they can get a good set of fingerprints that they can then start to match to actual sites.
Now this was regarded as quite hard to do until AI tools like this one come along to dramatically reduce the time needed to do this analysis.
A way to mitigate the above is to make sure your connections are doing multiple things so it’s harder to pull these fingerprints from traffic patterns. So I’m assuming the same strategy would work here given it’s basically the same kind of attack
bruh, read my other comments 🧵
OPFS should not exist.
Sorry could you elaborate? You just linked to the MDN page in the comment and claimed it was bad in that one. Did you mean to link to a different one?
It’s implemented everywhere, so it’s not that it’s a single browser doing something weird, it seems to be sandboxed (in a conventional sense), and there’s plenty of use cases where an application might need high performance storage access or a pseudo filesystem.
What is your reasoning for unimplementing it rather than mitigating the issue? I don’t believe there is an equivalent web technology to this that people could use instead.
As demonstrated in the paper, OPFS enables attackers to read more than just browsing habits, but also solid state gates’ data.
Meaning, if vendors require HPSA, they will need to redesign their entire threat model to an isolated securely atomized one that OPFS by design cannot secure.I get that the paper has discovered a flaw, but I don’t see how it is unmitigatable, it’s still a sandboxed filesystem at the end of the day, rate smoothing and noise insertion seem like fairly obvious first steps and I’m far from an expert.
It’s like saying we should get rid of VPNs because they suffer the same kinds of side channel risk.
If you are concerned about this is uses Javascript so you can get noscript extension and just choose which sites are allowed to use Javascript. Sites blocked from using it WILL break though.
That’s insane
nrly, just Mozilla things.
lol, WTF is any of this exposed to a website at all?
It’s not. They’re literally hacking your device to spy on you by reading EM interference and shit. It should be illegal.
