9 votes

Google researchers find serious privacy risks in Safari’s anti-tracking protections

13 comments

  1. [7]
    Comment deleted by author
    Link
    1. [6]
      skybrian
      (edited )
      Link Parent
      Google's security researchers have broad freedom to investigate whatever security flaws they want. You're saying they should be constrained not to report anything if it's inconsistent with...

      Google's security researchers have broad freedom to investigate whatever security flaws they want. You're saying they should be constrained not to report anything if it's inconsistent with anything some other part of the company is doing? That doesn't seem good for anyone.

      A well-written bug report is a gift. As a result, Safari fixed some security holes, though it's not clear that they fixed all of them.

      14 votes
      1. [5]
        nothis
        (edited )
        Link Parent
        I don't think anyone is seriously suggestion Google is doing that to sabotage Safari's anti-tracking protection as some kind of hidden agenda. But it taints the research a little. At best it's...

        I don't think anyone is seriously suggestion Google is doing that to sabotage Safari's anti-tracking protection as some kind of hidden agenda. But it taints the research a little. At best it's ironic, at worst it can be considered a conflict of interest. The real story might be a different one: Maybe that one of the top user-spying companies in the world now has acquired some of the best security researchers in the world, subtly biasing their work in their favor. And even if it's just perception. Psychology is part of security.

        9 votes
        1. [4]
          NaraVara
          Link Parent
          I actually think it's very plausible that Google looks for ways to circumvent these protections as part of their normal business model, and along the way their security folks figure out some of...

          I don't think anyone is seriously suggestion Google is doing that to sabotage Safari's anti-tracking protection as some kind of hidden agenda.

          I actually think it's very plausible that Google looks for ways to circumvent these protections as part of their normal business model, and along the way their security folks figure out some of these things can be categorized as "vulnerabilities."

          I also don't doubt that the press releases around these announcements might also get some color put on them by Google's marketing/PR people to take competition down a peg.

          All that said, I don't see any of this as a terrible or out of bounds thing. These companies should compete, and raising these issues in ways that put PR heat on Apple can only drive Apple to keep doing better.

          4 votes
          1. [3]
            skybrian
            Link Parent
            I'm skeptical of this flavor of skepticism because it doesn't seem like it's how security researchers think? Finding security holes is their job. Finding security holes in Google's products is...
            • Exemplary

            I'm skeptical of this flavor of skepticism because it doesn't seem like it's how security researchers think? Finding security holes is their job. Finding security holes in Google's products is also their job, even if sometimes it makes Google look bad. The "Project Zero" team has their own reputation to protect and promote, which involves reporting as many interesting security holes as they possibly can. They have their own Twitter accounts and personal reputations. They do have their responsible disclosure policy, which gives everyone 90 days to fix bugs. But after that it's in their interest to make the bug public and brag about it a little.

            I could see there being pushback from other parts of Google, to maybe get a little more time to fix a bug, though.

            I also don't see Google deliberately keeping other company's security bugs secret and exploiting them, since that's not how most of the software engineers I met there think of themselves? Also, depending on bugs is fragile; your product is likely to break at any time when the bug gets fixed. It's something that sometimes happens by accident or if you're in a hurry, but generally avoided by most software engineers.

            It's the sort of thing the NSA used to do, though apparently not as much lately.

            7 votes
            1. [2]
              NaraVara
              Link Parent
              That's the thing, the security researchers have no agency in the chain of events. It's PR that drives the press release and the ad-tech side of the shop that finds the issues.

              I'm skeptical of this flavor of skepticism because it doesn't seem like it's how security researchers think?

              That's the thing, the security researchers have no agency in the chain of events. It's PR that drives the press release and the ad-tech side of the shop that finds the issues.

              1. skybrian
                Link Parent
                It looks like the researchers published on ArXiv. I don't see a press release from Google. The Webkit team wrote about their changes in December. At least for open source projects and research,...

                It looks like the researchers published on ArXiv. I don't see a press release from Google. The Webkit team wrote about their changes in December.

                At least for open source projects and research, the public relations folks at Google don't control all communications with the outside world. Employees are expected to use good judgement, though, and teams do talk internally about what they're going to say in official blog posts.

                3 votes
  2. alxjsn
    Link
    Here is a link to the actual paper which has a lot of the technical details: https://arxiv.org/pdf/2001.07421.pdf

    Here is a link to the actual paper which has a lot of the technical details: https://arxiv.org/pdf/2001.07421.pdf

    4 votes
  3. [6]
    smores
    Link
    The “unknown state of the world” at the end of this piece is upsetting to me; I’ve been (apparently unwittingly) using Safari’s ITP since it came out. Part of me feels like the fact that this is...

    The “unknown state of the world” at the end of this piece is upsetting to me; I’ve been (apparently unwittingly) using Safari’s ITP since it came out. Part of me feels like the fact that this is specifically coming from Google is circumspect, but the actual findings do make sense to me as a concern, though they don’t seem substantially worse than browsing without any third party tracking prevention in the first place (obviously however the goal here would be for it to be better).

    3 votes
    1. [5]
      NaraVara
      (edited )
      Link Parent
      Maybe I'm misreading, but the list of things they mentioned all seem like exactly what you're exposed to if you didn't have ITP except it's harder for the adversary to do and they get less out of...

      though they don’t seem substantially worse than browsing without any third party tracking prevention in the first place (obviously however the goal here would be for it to be better).

      Maybe I'm misreading, but the list of things they mentioned all seem like exactly what you're exposed to if you didn't have ITP except it's harder for the adversary to do and they get less out of doing it. Am I misunderstanding? Because as is I'm not sure how we would categorize this as a "vulnerability." If anything it seems like an imperfect risk mitigation.

      6 votes
      1. skybrian
        Link Parent
        Fingerprinting at least has always been possible. The browser vendors are taking it more seriously these days but there is a lot of work to do.

        Fingerprinting at least has always been possible. The browser vendors are taking it more seriously these days but there is a lot of work to do.

        4 votes
      2. [3]
        smores
        Link Parent
        This was like a one-off sentence in the article, but they mention also being able to check user’s visiting habits to sites that aren’t actually owned by the tracker, which as far as I know is...

        This was like a one-off sentence in the article, but they mention also being able to check user’s visiting habits to sites that aren’t actually owned by the tracker, which as far as I know is actually worse than just browsing with ITP off. I might be misreading though.

        1. [2]
          NaraVara
          Link Parent
          I thought it was only for sites that are affiliated with the site you're on?

          I thought it was only for sites that are affiliated with the site you're on?

          1. smores
            Link Parent
            This seems to imply that although it’s more challenging, it’s still possible:

            This seems to imply that although it’s more challenging, it’s still possible:

            Revealing the status of domains outside the attackers’ control is only slightly harder. It requires the use of a side channel that compares the behavior of requests affected by ITP with the behavior of those that are unaffected by ITP. The paper says the Internet “abounds” in such side channels and identifies six of them.