This repository has been archived by the owner on Nov 7, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathxsite-tracking-model.bsinc
182 lines (178 loc) · 7.83 KB
/
xsite-tracking-model.bsinc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
## Cross-site recognition ## {#model-cross-site-recognition}
<table class="threatmodel">
<tr class="goals">
<td></td>
<th><div><div>[[#goal-transfer-userid]]</div></div></th>
<th><div><div>[[#goal-userid-tracker-to-self-in-pub]]</div></div></th>
<th><div><div>[[#goal-userid-tracker-in-pub1-to-self-in-pub2]]</div></div></th>
<th><div><div>[[#goal-prob-transfer-userid-no-nav]]</div></div></th>
<th><div><div>[[#goal-prob-transfer-userid]]</div></div></th>
</tr>
<tr>
<th>[[#cap-iframes]]</th>
<td data-goal="transfer-userid" style="color:green">✘</td>
<td data-goal="userid-tracker-to-self-in-pub" style="color:green">✘</td>
<td data-goal="userid-tracker-in-pub1-to-self-in-pub2" style="color:green">✘</td>
<td data-goal="prob-transfer-userid-no-nav" style="color:green">✘</td>
<td data-goal="prob-transfer-userid" style="color:green">✘</td>
</tr>
<tr>
<th>[[#cap-first-party-js]]</th>
<td data-goal="transfer-userid" style="color:green">✘</td>
<td data-goal="userid-tracker-to-self-in-pub" style="color:green">✘</td>
<td data-goal="userid-tracker-in-pub1-to-self-in-pub2" style="color:green">✘</td>
<td data-goal="prob-transfer-userid-no-nav" style="color:green">✘</td>
<td data-goal="prob-transfer-userid" style="color:green">✘</td>
</tr>
<tr>
<th>[[#cap-read-logs]] on other publishers</th>
<td data-goal="transfer-userid" style="color:green">✘</td>
<td data-goal="userid-tracker-to-self-in-pub" style="color:green">✘</td>
<td data-goal="userid-tracker-in-pub1-to-self-in-pub2" style="color:green">✘</td>
<td data-goal="prob-transfer-userid-no-nav" style="color:green">✘</td>
<td data-goal="prob-transfer-userid">
<details>
<summary style="color:red">✓</summary>
Publisher 2 reads their own logs for the page load and publisher 1's logs for the click tracking of the navigation click. [=User IDs=] that clicked on publisher 1 approximately the same
time as that link's target loaded on publisher 2 are
probabilistically correlated.
</details>
</td>
</tr>
<tr>
<th>[[#cap-run-on-server]] on the target publisher</th>
<td data-goal="transfer-userid">
<span style="color:green">✘</span>
</td>
<td data-goal="userid-tracker-to-self-in-pub">
<details>
<summary style="color:red">✓</summary>
The tracker adds a path segment, possibly encrypted, in their links to the
publisher, encoding the user's ID within the tracker. They convince the
publisher to <a href="#ess-server-defined-paths">ignore that path segment in
their server processing</a>. The tracker running inside that publisher reads
the URL, decodes the tracker site's user ID, and <a
href="#ess-js-requests">sends that and the tracker-within-publisher user ID
up to the tracker's server</a>.
</details>
</td>
<td data-goal="userid-tracker-in-pub1-to-self-in-pub2" >
<span style="color:green">✘</span>
</td>
<td data-goal="prob-transfer-userid-no-nav" >
<span style="color:green">✘</span>
</td>
<td data-goal="prob-transfer-userid">
<span style="color:green">✘</span>
</td>
</tr>
<tr>
<th>[[#cap-first-party-js]] or [[#cap-run-on-server]] on the source site and [[#cap-run-on-server]] on the target publisher</th>
<td data-goal="transfer-userid">
<span style="color:green">✘</span>
</td>
<td data-goal="userid-tracker-to-self-in-pub" >
<details>
<summary style="color:red">✓</summary>
The tracker adds a path segment, possibly encrypted, in their links to the
publisher, encoding the user's ID within the tracker. They convince the
publisher to <a href="#ess-server-defined-paths">ignore that path segment in
their server processing</a>. The tracker running inside that publisher reads
the URL, decodes the tracker site's user ID, and <a
href="#ess-js-requests">sends that and the tracker-within-publisher user ID
up to the tracker's server</a>.
</details>
</td>
<td data-goal="userid-tracker-in-pub1-to-self-in-pub2" >
<details>
<summary style="color:red">✓</summary>
The tracker adds a path segment, possibly encrypted, in the publisher 1's
links to publisher 2, encoding the user's ID within publisher 1. They
convince publisher 2 to <a href="#ess-server-defined-paths">ignore that
path segment in their server processing</a>. The tracker running inside
that publisher reads the URL, decodes publisher 1's user ID, and <a
href="#ess-js-requests">sends that and publisher 2's user ID up to the
tracker's server</a>.
</details>
</td>
<td data-goal="prob-transfer-userid-no-nav" >
<span style="color:red">✓</span>
</td>
<td data-goal="prob-transfer-userid">
<span style="color:red">✓</span>
</td>
</tr></table>
Further cross-site recognition is available by combining capabilities with the
ability to [[#cap-first-party-js]] (or [[#cap-run-on-server]] to add
attacker-controlled javascript):
<table class="threatmodel">
<tr class="goals">
<td></td>
<th><div><div>[[#goal-prob-transfer-userid-no-nav]]</div></div></th>
</tr>
<tr>
<th>[[#cap-type-identifier]]</th>
<td data-goal="prob-transfer-userid-no-nav">
<details>
<summary style="color:red">✓</summary>
The tracker gets a report of the identifiers typed in both publisher
sites, along with each publisher's [=user id=]. If they're equal, the
[=user ids=] probably refer to the same user. The probability depends on
the type of identifier: email addresses or credit card numbers are very
high probability. Names or dates of birth are lower probability unless
combined with other information like a zip code.
</details>
</td>
</tr>
<tr>
<th>[[#cap-same-device-same-time]]</th>
<td data-goal="prob-transfer-userid-no-nav">
<details>
<summary style="color:red">✓</summary>
The tracker reads the two devices, and if they give the same output at
approximately the same time, the user is probably the same. For devices
like cameras and microphones, detection is likely to be very accurate.
Others, like ambient light, might only give a few bits per sample, and
so need a long period of overlap in order to provide a good correlation.
For some devices, this transfer can be mitigated by turning off input
when the site isn't visible or isn't focused, but user expectations
limit where that mitigation is applicable.
</details>
</td>
</tr>
<tr>
<th>[[#cap-same-rw-device]]</th>
<td data-goal="prob-transfer-userid-no-nav">
<details>
<summary style="color:red">✓</summary>
The tracker writes identifying content to the device and then reads it
back when the other site is opened. This is visible to varying degrees
depending on the device: an individual native file or a Bluetooth or USB
device that isn't designed to cooperate with this sort of tracking, is
likely to break in obvious ways when the tracker tries to write an
identifier. A native directory, on the other hand, has many available
filenames that could hold identifying information without a user being
likely to notice.
</details>
</td>
</tr>
<tr>
<th>[[#cap-open-for-browser-event]]</th>
<td data-goal="prob-transfer-userid-no-nav">
<span style="color:green">✘</span>
</td>
</tr>
<tr>
<th>[[#cap-visible-for-browser-event]]</th>
<td data-goal="prob-transfer-userid-no-nav">
<details>
<summary style="color:red">✓</summary>
Browser-wide events generally need to be visible immediately when a user
is looking at a website, so the tracker just needs to notice that the
event's parameters are the same, and its timestamp across two sites is
close together. The probability of identifying a single user goes up as
more events are observed.
</details>
</td>
</tr>
</table>