From 5f9b5c3be053bc7fc6535683f29f2477539759b7 Mon Sep 17 00:00:00 2001 From: Libor Polčák Date: Apr 04 2022 08:56:47 +0000 Subject: Unify extension and webextension --- diff --git a/paper.tex b/paper.tex index a59dd5c..4a47413 100644 --- a/paper.tex +++ b/paper.tex @@ -61,7 +61,7 @@ page observe the device boot time if sensor APIs are enabled in Chromium-based browsers. \jshelter{} provides a fingerprinting report and other feedback that can be used by future security research and data protection - authorities. Thousands of users around the world use the extension every day.} + authorities. Thousands of users around the world use the webextension every day.} \end{abstract} \keywords{Browser fingerprinting, web privacy, web security, webextension APIs, JavaScript} @@ -107,7 +107,7 @@ share a more precise location (e.g. during navigation), and other times they wan to share the location with limited precision (e.g. they are exploring a location unrelated to their current position). -This paper presents \jshelter{}, a web browser extension that allows +This paper presents \jshelter{}, a web browser extension (webextension) that allows users to tweak the browser APIs. Additionally, \jshelter{} detects and prevents fingerprinting. Moreover, JSR blocks attempts to misuse the browser as a proxy to access the local network. \jshelter{} educates users by explaining fingerprinting APIs in a @@ -116,7 +116,7 @@ Zero~\cite{js0} and little-lies-based fingerprinting prevention \cite{PriVaricator,FPRandom}. We needed to solve the problem of reliably injecting protection code. We introduce NoScript Commons Library (NSCL)\footnote{\url{https://noscript.net/commons-library}} that -other privacy- and security-related extensions can reuse to solve common tasks. +other privacy- and security-related webextensions can reuse to solve common tasks. We implemented \jshelter{} for Firefox and Chromium-based browsers like Chrome, Opera, and Edge. We provide experience from user feedback that should be valuable to other research projects. @@ -131,11 +131,11 @@ device through sensor timestamps in Chromium-based browsers. This paper is organised as follows. Section~\ref{sec:threats} presents the threats that users face while web browsing. -Section~\ref{sec:countermeasures} compares the extension described in this paper to -other security- and privacy-related extensions. Section~\ref{sec:methodology} +Section~\ref{sec:countermeasures} compares \jshelter{} to +other security- and privacy-related webextensions. Section~\ref{sec:methodology} provides the design decisions that we faced during the development of \jshelter{}. -Section~\ref{sec:results} evaluates the features of the extension and discusses +Section~\ref{sec:results} evaluates the \jshelter{} features and discusses user feedback. Section~\ref{sec:conclusion} concludes this paper. @@ -414,7 +414,7 @@ Hence, blocklists are very useful as a first-line defence and improve web performance~\cite{FirefoxTP}. However, blockers are not enough as the niche cases evade the blockers~\cite{block_me_if_you_can}. -Extensions like NoScript Security Suite and uMatrix Origin allow users to +Webextensions like NoScript Security Suite and uMatrix Origin allow users to block JavaScript or other content either completely or per domain. Hence, they can address all six threats raised in §\ref{sec:threats}. However, the user needs to evaluate what scripts to allow. HTTP Archive @@ -424,7 +424,7 @@ Many pages depend on JavaScript. Users must select what content to trust. A typical page contains resources from many external sources, so such a user requires excellent knowledge. Moreover, a malicious code may be only a part of resources; the rest of the resource can be necessary for correct page -functionality. So we believe that extensions like NoScript Security Suite and uMatrix +functionality. So we believe that webextensions like NoScript Security Suite and uMatrix Origin are good but do not protect the user from accidentally allowing malicious code. @@ -440,14 +440,14 @@ shown that the webpage can obtain access to the original API calls. Web API Manager \cite{webapi-vibrate} classifies JavaScript APIs into 81 standards\footnote{\url{https://github.com/snyderp/web-api-manager/tree/master/sources/standards}}. -A the Web API Manager extension user can disable all functionality defined +A the Web API Manager webextension user can disable all functionality defined by any of the standards. The authors prepared three configurations with standards blocked depending on their benefits and costs~\cite{webapi-vibrate}. Web API Manager is most effective against T3 and not targeted T2, but it can help mitigate other threats. Unfortunately, Web API Manager does not allow a user to allow only a part of the standard, e.g. it is not possible to allow Canvas API for drawing but disallow reading that is used for -fingerprinting~\cite{canvas_fingerprint}. Additionally, the extension is no +fingerprinting~\cite{canvas_fingerprint}. Additionally, the webextension is no longer maintained\footnote{See the message on the GitHub page \url{https://github.com/snyderp/web-api-manager/blob/master/README.md}}, it is not compatible with Firefox Multi-Account Containers\footnote{See @@ -457,7 +457,7 @@ Manager user with a tailored configuration can potentially be uniquely identified with the JavaScript enumerating code developed by Schwarz et al.~\cite{jstemplates_property_traversal}. -Other vital extensions are cookie managers (threat T1) or local CDN cachers +Other vital webextensions are cookie managers (threat T1) or local CDN cachers (threats T1 and T4). \subsection{Privacy-focused browsers} @@ -473,8 +473,8 @@ threats T1, T2, T3, T5, and T6. Nevertheless, Torbrowser users should not resize the window and install -additional extensions. These requirements downgrade comfort, and users might be unwilling to -abandon favourite extensions or be tempted to resize the window for more comfort. As the +additional webextensions. These requirements downgrade comfort, and users might be unwilling to +abandon favourite webextensions or be tempted to resize the window for more comfort. As the communication is relayed multiple times by relays spread worldwide, latency increases, and throughput is limited. The list of Tor exit node IP addresses is public. Moreover, malicious actors often misuse Tor. Some services block Tor @@ -792,8 +792,9 @@ quickly fix a broken page. \subsection{Effective modifications of JavaScript environment} -The core functionality of the extension lies in monitoring and modifying the results of the -built-in JavaScript APIs and built-in object behaviour. \jshelter{} employs the +Monitoring and modifying the results of the +built-in JavaScript APIs and built-in object behaviour +is the \jshelter{} core functionality. \jshelter{} employs the same mechanism proposed by Schwarz et al.~\cite{js0} in Chrome Zero. However, Chrome Zero was a proof-of-concept without any modification in the last four years. Shusterman et al.~\cite{PrimeProbe1JS0} identified several problems with Chrome Zero: @@ -803,7 +804,7 @@ Shusterman et al.~\cite{PrimeProbe1JS0} identified several problems with Chrome \item Unprotected prototype chains (issue 1): the original implementation is available through the prototype chain because Chrome Zero protects a wrong property. - \item Delayed extension initialisation (issue 2): Current webextension APIs lack a + \item Delayed JavaScript environment initialisation (issue 2): Current webextension APIs lack a reliable and straightforward way to inject scripts modifying the JavaScript environment before page scripts start running. As \jshelter{} (and Chrome Zero) allows configurable protection that may differ per origin, it needs to access an asynchronous API that @@ -811,7 +812,7 @@ Shusterman et al.~\cite{PrimeProbe1JS0} identified several problems with Chrome page scripts to access original, unprotected API calls. Note that once page scripts have the opportunity to access the original API implementation, they can store the unprotected version. There is no - way (for an extension) to reverse the leak. + way (for a webextension) to reverse the leak. \item Missed context (issue 3): Chrome Zero does not apply protection in iframes and worker threads. @@ -820,7 +821,7 @@ Shusterman et al.~\cite{PrimeProbe1JS0} identified several problems with Chrome In addition, Firefox suffers from a long-standing unfixed bug~\cite{ff-bug-csp} -that prevents up to 10\,\% of Firefox extensions from working correctly on +that prevents up to 10\,\% of Firefox webextensions from working correctly on pages whose Content Security Policy (CSP) forbids inline scripts \cite{FirefoxCSPBugBP} (issue 4). @@ -843,7 +844,7 @@ overriding step 1 choice. A significant effort of the \jshelter{} development went into developing a reliable cross-browser early script injection that tackles issues 2--4. -These are problems affecting several privacy and security extensions. +These are problems affecting several privacy and security webextensions. In fact, the techniques adopted and further honed while developing \jshelter{} had been extracted from the NoScript Security Suite\footnote{\url{https://noscript.net/}}, refactored into the NSCL @@ -851,7 +852,7 @@ and made publicly available for reusing and contributing back. This aims to minimise the maintenance burden and mitigate the danger of introducing insidious bugs and security vulnerabilities due to feature mismatches and multiple code paths by abstracting the common functionality -shared among security and privacy extensions, providing consistent +shared among security and privacy webextensions, providing consistent implementations across multiple browser engines and shielding developers from the browser-dependent implementation details. @@ -859,16 +860,17 @@ The NSCL tackles issue 2 in its \verb|DocStartInjection| module\footnote{\url{https://github.com/hackademix/nscl/20220330/main/service/DocStartInjection.js}}, by preprocessing URL-dependent configuration inside a \verb|BeforeNavigate| event handler. This event is fired every time the browser starts -loading a new page and notifies the extension of the destination URL, which \jshelter{} uses +loading a new page and notifies the webextension of the destination URL, which \jshelter{} uses to build a configuration object in advance and make it available to the content script -before it starts its own processing. This technique always succeeds in pre-configuring the extension +before it starts its own processing. This technique always succeeds in +pre-configuring the webextension on document start, before any page script can run, on Firefox; but on Chromium it might sometimes fail due to race conditions. As a safety net for these edge cases, when no configuration object is found by the content script, the special \verb|SyncMessage| API\footnote{\url{https://github.com/hackademix/nscl/20220330/main/common/SyncMessage.js}}, an ugly (because based on the deprecated synchronous \verb|XMLHttpRequest| API) but effective hack provided by the NSCL, is used to still retrieve the correct settings in a timely manner. -To address issue 3, the configuration of the extension (\verb|manifest.json|) +To address issue 3, the configuration of the webextension (\verb|manifest.json|) registers code injection into all the newly created windows, including subframes. Unfortunately, this alone cannot prevent dynamically created windows and frames from being exploited by the originator page to retrieve pristine unwrapped objects and therefore work around @@ -951,9 +953,9 @@ is not responsible in current \jshelter{} versions without adblocker due to too much time spent in the spoofing code. We are not aware of any isolated side-effect that reveals -\jshelter{}. For example, some similar extensions do not -modify \verb|toString|. A page script could detect such an extension as each -extension modifying the call by the same technique will likely use a different +\jshelter{}. For example, some similar webextensions do not +modify \verb|toString|. A page script could detect such a webextension as each +webextension modifying the call by the same technique will likely use a different code. Nevertheless, we are aware and do not hide that users of \jshelter{} are vulnerable to focused attacks. Our goal is to offer a protection indistinguishable from another privacy-improving tool for each modified API. @@ -1065,13 +1067,16 @@ cookies because our previous experience suggests that the missing possibility to store a permanent identifier tempts trackers to start fingerprinting. We repeated the visits with both Google Chrome and Mozilla Firefox. -We used FPMON and DFPM extensions to create the ground truth. For each visited +We used FPMON and DFPM webextensions to create the ground truth. For each visited page, we computed its fingerprinting score. FPMON reports fingerprinting pages with colour. We assigned yellow colour 1 point and red colour 3 points. DFPM reports danger warnings. If DFPM reports one danger warning, we assign 1 point to the page. For a higher number of danger warnings, we assign 3 points to the page. Therefore, each page gets a fingerprinting score from 0 to 6. Table \ref{tab:fpdstudy} shows the results of the comparison. We classify a page as fingerprinting when its score is 4 or more. We did not count pages with a score of 3 or 2 as fingerprinting because their status is unclear. We consider -scores 0 and 1 as an indication of no fingerprinting. However, as reported above, the ground truth is far from flawless. We encountered many exceptions during testing and examined them in detail. In many cases, FPD detects fingerprinting, but the reference extensions do not. +scores 0 and 1 as an indication of no fingerprinting. However, as reported +above, the ground truth is far from flawless. We encountered many exceptions +during testing and examined them in detail. In many cases, FPD detects +fingerprinting, but the reference webextensions do not. (1) \emph{The score of 6.} FPD successfully detects pages with a score of 6 except the \emph{Google @@ -1176,7 +1181,7 @@ Chromium-based browsers. We consider both approaches to solving threat T5; it is up to the user what solution they prefer. Note that Google postponed the Chrome PNA deployment during March 2022, so Chrome -users without \jshelter{} or another extension with similar capabilities are not +users without \jshelter{} or another webextension with similar capabilities are not protected. @@ -1185,7 +1190,7 @@ protected. Some users found \jshelter{} immediately after initial upload to webextension sites. Nevertheless, the number of users increased massively only after an announcement by Free Software Foundation. Figure~\ref{fig:users}, shows \jshelter{} users in time -in Firefox and Chrome. The graph shows that an extension like \jshelter{} has an +in Firefox and Chrome. The graph shows that \jshelter{} has an audience and users want to control their browsers. \begin{figure}[h!] @@ -1212,7 +1217,7 @@ explanation even though we highlight that similar randomly generated strings are already available through \verb|MediaDevices.prototype.enumerateDevices|, the created profile is unique by design. -A common problem is that users do not understand what the extension is doing and +A common problem is that users do not understand what \jshelter{} is doing and that several modules work in parallel and can be enabled and configured separately. We tweaked the UI several times to make the UI as straightforward as possible and we added explanations and want to add even more @@ -1292,8 +1297,9 @@ In cooperation with the Free Software Foundation, we aim for long-term \jshelter{} development; thus, users' privacy and security should be improved in the future. We explain fingerprinting vectors introduced by Sensor API in mobile browsers. -We propose to use the extension by data protection -specialists to detect browser fingerprinting and other information leaks. We +Data protection +specialists should detect browser fingerprinting and other information leaks +with \jshelter{}. We integrated fingerprint report and notifications to facilitate the task. We discussed considerations and issues connected with deployment. The webextension is under development. Future work will include fixing problems breaking pages, improved heuristics of FPD, and research @@ -1303,7 +1309,8 @@ enough to stop a determined fingerprinter that can, for example, approximate colour values of several pixels or repeat an effect multiple times? \jshelter{} should not be considered a single bullet-proof solution. -We anticipate that everyday users will install \jshelter{} together with other extensions like +We anticipate that everyday users will install \jshelter{} together with other +webextensions like list-based blockers or JavaScript blockers. \section{Acknowledgement}