Earlier today we published the details of a set of vulnerabilities in Safari's Intelligent Tracking Prevention privacy mechanism: https://arxiv.org/abs/2001.07421 . They are... interesting. [1/9]
@kkotowicz @empijei @we1x
-
Prikaži ovu nit
-
In a nutshell, Safari bases its anti-tracking approach not on a built-in, static list of domains, but on making a local decision about the sites that your browser recognizes as providers of third-party resources. [2/9]
0 proslijeđenih tweetova 11 korisnika označava da im se sviđaPrikaži ovu nit -
The first problem is that this requires building up a custom model of what sites are loaded in third-party contexts, which depends on your individual traffic and implicitly encodes information about your browsing history. [3/9]
1 reply 0 proslijeđenih tweetova 14 korisnika označava da im se sviđaPrikaži ovu nit -
The second problem is that when the browser uses this model to change its behavior (e.g removes cookies or the `Referer' header from some requests), its underlying data gets exposed to any website (How, you ask? -> Section 1.2.1) [4/9]
1 reply 1 proslijeđeni tweet 14 korisnika označava da im se sviđaPrikaži ovu nit -
What you end up with is a personalized anti-tracking model baked into your browser. That model is not only a unique identifier, but also reveals information about sites you visited since last clearing browsing state. That's not great. [5/9]
3 proslijeđena tweeta 16 korisnika označava da im se sviđaPrikaži ovu nit -
As far as mitigations go, there are definitely useful things the browser can do to address such leaks (and Safari has done them: https://webkit.org/blog/9661/preventing-tracking-prevention-tracking/ …). But completely fixing this is hard. [6/9]
2 proslijeđena tweeta 10 korisnika označava da im se sviđaPrikaži ovu nit -
There is an important and somewhat unexpected lesson in all of this. It's that if you alter browser behavior based on locally gathered data, then if your changes have web-observable consequences, you're going to have a bad time. [7/9]
1 reply 8 proslijeđenih tweetova 28 korisnika označava da im se sviđaPrikaži ovu nit -
This is a concern not just for Safari and ITP, but for all other anti-tracking proposals. For example, Chrome's Privacy Budget idea will have to grapple with the same kinds of issues as it develops. [8/9]
1 proslijeđeni tweet 18 korisnika označava da im se sviđaPrikaži ovu nit
One last thing: it's clear that Apple is trying to do the right thing and the WebKit folks we've interacted with care deeply about privacy. We hope that these results will help Safari & guide other browser vendors in the long run. [fin]
-
-
Odgovor korisnicima @arturjanc @kkotowicz i sljedećem broju korisnika:
This is so badass! Congrats to you and the whole team!!
0 replies 0 proslijeđenih tweetova 4 korisnika označavaju da im se sviđaHvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.