From f509cf59e1cd7ac3e25d8e3cf53aa02c7ce491c9 Mon Sep 17 00:00:00 2001 From: Jeffrey Yasskin Date: Wed, 3 Jun 2020 14:22:56 -0700 Subject: [PATCH 1/2] Add a script to check that cells are under the right headers. --- index.bs | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 69 insertions(+) diff --git a/index.bs b/index.bs index 70b66fd..b955337 100644 --- a/index.bs +++ b/index.bs @@ -85,6 +85,75 @@ details[open] { text-align: left; } + Advisement: This document is at a very early stage. Many things in it are wrong and/or incomplete. Please take it as a rough shape for how we might document the From 7e6163000163f99a2d699f13631e6aea175cd8a8 Mon Sep 17 00:00:00 2001 From: Jeffrey Yasskin Date: Wed, 3 Jun 2020 11:57:25 -0700 Subject: [PATCH 2/2] Describe navigation as a capability, not a goal. This reduces the number of goal columns at the cost of increasing the number and complexity of rows in the table. I hope it makes it easier to see what abilities an attacker gains when they're willing to show the user a navigation. --- capabilities.bsinc | 6 +++++ goals.bsinc | 36 ++++++++++------------------ xsite-tracking-model.bsinc | 49 ++++++++++++++++++++------------------ 3 files changed, 44 insertions(+), 47 deletions(-) diff --git a/capabilities.bsinc b/capabilities.bsinc index c140029..7e5c0d0 100644 --- a/capabilities.bsinc +++ b/capabilities.bsinc @@ -4,6 +4,12 @@ These are things some attackers can do. The attackers can use them to achieve their goals. All attackers are assumed to be able to buy domains and host sites on their domains. +## Show the user a navigation ## {#cap-navigate} + +Users can notice a site navigating, and it disrupts the top-level site's state, +so not all attackers will be willing to create an extra navigation in order to +transfer a user ID. + ## Load iframes ## {#cap-iframes} The attacker can convince a publisher to load an iframe from the attacker's site. diff --git a/goals.bsinc b/goals.bsinc index f147d09..e4850a7 100644 --- a/goals.bsinc +++ b/goals.bsinc @@ -17,37 +17,25 @@ it occurred. A context is a set of resources that are controlled by the same party or jointly controlled by a set of parties. The following are building blocks that allow a tracker to build such a log of a user's activity. -### Transfer user ID from publisher 1 to publisher 2 on navigation. ### {#goal-transfer-userid} +### Transfer user ID from publisher 1 to publisher 2. ### {#goal-transfer-userid} -When the user clicks a link from [=publisher=] 1 that navigates to [=publisher=] -2, publisher 2's server learns that a [=user ID=] on publisher 2 and a [=user ID=] on -publisher 1 represent the same [=user=]. +[=Publisher=] 2's server learns that a [=user ID=] on [=publisher=] 2 and a [=user ID=] +on [=publisher=] 1 represent the same [=user=]. -### Transfer user ID from tracker to that tracker running within a publisher, on navigation. ### {#goal-userid-tracker-to-self-in-pub} +### Transfer user ID from tracker to that tracker running within a publisher. ### {#goal-userid-tracker-to-self-in-pub} -When the user clicks a link from `tracker.example` to `publisher.example`, that -[=tracker's=] server learns that a [=user ID=] for either `publisher.example` or -the tracker running within `publisher.example` and a [=user ID=] for -`tracker.example` represent the same [=user=]. +[=tracker=].example's server learns that a [=user ID=] for either +`publisher.example` or the tracker running within `publisher.example` and a +[=user ID=] for `tracker.example` represent the same [=user=]. -### Transfer user ID from tracker within publisher 1 to that tracker within publisher 2, on navigation. ### {#goal-userid-tracker-in-pub1-to-self-in-pub2} +### Transfer user ID from tracker within publisher 1 to that tracker within publisher 2. ### {#goal-userid-tracker-in-pub1-to-self-in-pub2} -When the user clicks a link from `publisher1.example` (where a tracker was -embedded within that site) to `publisher2.example` (which has the same tracker -embedded), that [=tracker's=] server learns that a [=user ID=] for either +A [=tracker's=] server learns that a [=user ID=] for either `publisher1.example` or the tracker running within `publisher1.example` and a [=user ID=] for either `publisher2.example` or the tracker running within `publisher2.example` represent the same [=user=]. -### Probabilistically transfer user ID from publisher 1 to publisher 2 on navigation. ### {#goal-prob-transfer-userid} +### Probabilistically transfer user ID from publisher 1 to publisher 2. ### {#goal-prob-transfer-userid} -When the user clicks a link from [=publisher=] 1 that navigates to [=publisher=] -2, publisher 2's server learns that a [=user ID=] on publisher 2 and a [=user ID=] on -publisher 1 are more likely than chance to represent the same [=user=]. - -### Probabilistically transfer user ID from publisher 1 to publisher 2 without navigation. ### {#goal-prob-transfer-userid-no-nav} - -While the user is visiting [=publisher=] 1, that publisher can tell -[=publisher=] 2 that a [=user ID=] on publisher 2 and a [=user ID=] on publisher -1 are more likely than chance to represent the same [=user=], without requiring -the user to navigate from publisher 1 to publisher 2. +[=Publisher=] 2's server learns that a [=user ID=] on [=publisher=] 2 and a [=user ID=] on +[=publisher=] 1 are more likely than chance to represent the same [=user=]. diff --git a/xsite-tracking-model.bsinc b/xsite-tracking-model.bsinc index 4dcee51..132938e 100644 --- a/xsite-tracking-model.bsinc +++ b/xsite-tracking-model.bsinc @@ -1,36 +1,43 @@ ## Cross-site recognition ## {#model-cross-site-recognition} + - + - + + + + + + + + - + - + - + - - + + - + - + @@ -60,15 +68,12 @@ - - + @@ -96,13 +101,11 @@ tracker's server. - -
[[#goal-transfer-userid]]
[[#goal-userid-tracker-to-self-in-pub]]
[[#goal-userid-tracker-in-pub1-to-self-in-pub2]]
[[#goal-prob-transfer-userid-no-nav]]
[[#goal-prob-transfer-userid]]
[[#cap-iframes]] on both sides of a [[#cap-navigate|navigation]]
[[#cap-iframes]][[#cap-first-party-js]] on both sides of a [[#cap-navigate|navigation]]
[[#cap-first-party-js]][[#cap-read-logs]] on other publishers
[[#cap-read-logs]] on other publishersif publisher 1 can [[#cap-navigate]]
@@ -40,8 +47,9 @@
[[#cap-run-on-server]] on the target publisher[[#cap-run-on-server]] on the post-[[#cap-navigate|navigation]] publisher - -
[[#cap-first-party-js]] or [[#cap-run-on-server]] on the source site and [[#cap-run-on-server]] on the target publisher[[#cap-first-party-js]] or [[#cap-run-on-server]] on the source site and [[#cap-run-on-server]] on the target publisher - -
+ + Further cross-site recognition is available by combining capabilities with the ability to [[#cap-first-party-js]] (or [[#cap-run-on-server]] to add @@ -111,11 +114,11 @@ attacker-controlled javascript): - + - - - - -
[[#goal-prob-transfer-userid-no-nav]]
[[#goal-prob-transfer-userid]]
[[#cap-type-identifier]] +
The tracker gets a report of the identifiers typed in both publisher @@ -129,7 +132,7 @@ attacker-controlled javascript):
[[#cap-same-device-same-time]] +
The tracker reads the two devices, and if they give the same output at @@ -146,7 +149,7 @@ attacker-controlled javascript):
[[#cap-same-rw-device]] +
The tracker writes identifying content to the device and then reads it @@ -162,13 +165,13 @@ attacker-controlled javascript):
[[#cap-open-for-browser-event]] +
[[#cap-visible-for-browser-event]] +
Browser-wide events generally need to be visible immediately when a user