#68 Consider adding options to make farbling less stable
Opened 2 years ago by polcak. Modified 11 months ago

The sessionHash in farbling white lies is stable for the whole session. Consider allowing users to regenerate the hash or allow users to modify the hash for each page reload (or even for each wrapper call).


Summary

Add possibility to reset the farbling key.

Setup

  1. Enter a website and leave
  2. Clear cookies or perform another actions that the user expects to provide a fresh state
  3. Go back to the website. As the internals of the farbling did not change, the fingeprint is the same.

Expected result

The state is cleared, fingerprint changes. User is warned in a different way. Maybe there can be a button (in the popup) that allows to change the identity.

The preferred way is to sync with cookie cleaning.

Actual result/workarounds

Farbling can be reseted by restarting the browser or reinstall the extension.

One can also inspect the extension memory by going to about:debugging (Firefox) or chrome:extensions (Chrome), finding JShelter and inspecting its memory. The object Hashes stores the current configuration. So:

delete Hashes.visitedDomains["pagure.io"];

removes the current hash for pagure.io.

(Note that once we switch to manifest v3, there won't be any background page so the memory fiddling workaround will stop working. We will need to keep the hashes in a storage so a different workaround will be possible. The hashes might be visible in the Advanced options of the extension.)

Metadata Update from @polcak:
- Issue set to the milestone: None (was: NLNet evaluation)

a year ago

https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/cookies/onChanged should allow detection of cookie removal but it needs cookies and host permissions. We do not need cookies permission atm. We might hide automatic reset under an opt-in settings.

#113 is effectively a duplicate of this issue.

Login to comment on this ticket.

Metadata