Android 上不讓 App 取得真實的電話簿資料

Hacker News Daily 上看到「Fake Contacts」這個專案,可以把 Android 上的電話簿資料換成假資料,把真實的資料另外存放保存,藉此不讓 app 取得電話簿裡面的真實資料:

Create fake phone contacts, that will be stored on your phone along with your real contacts. The idea is to feed fake data to any apps or companies who are copying our private data to use or sell it. This is called "data-poisoning".

Nothing about these fake contacts will interfere with your normal use of your phone or your real contacts.

可以在 F-Droid 上下載使用:「Fake Contacts」。

另外在 Hacker News 上面也有討論:「Fake_contacts: Android app to create fake phone contacts, to do data-poisoning (github.com/billdietrich)」,其中大家馬上想到的就是 iOS 14 推出的相片保護機制,讓使用者選擇讓 app 讀到哪些相片:

Recently Apple added a feature to iOS that allows you only to allow selected photos to be accessible by an app. This allows the user to respond positively to an access request, but allow the app to see only a subset (or zero) actual photos.

It would be a very useful feature for Apple to do the same for contacts: the app would think it's getting access to your contacts, but would only actually receive a subset of them, and be none the wiser. This would be a tremendous boon for privacy.

Tim Cook 把 Privacy 當作 Feature 的偏好,我會猜在 iOS 遲早會推出這個功能,然後會宣揚吹捧一番。

至於 Android 的話,不太像是會在 iOS 推出前有這個功能...

Firefox 在 Strict Tracking Protection 模式下閹割 Google Analytics

Twitter 上看到 Firefox 在 Strict Tracking Protection 模式下會閹割掉 Google Analytics

剛好可以跟另外一篇「Google Analytics: Stop feeding the beast」一起看,這篇主要是對網站管理端的說明,你可以使用其他對隱私保護比較好的服務,或是考慮自己架設。

回到使用者端的部份,在 Firefox 裡面 Browser Privacy 預設是 Standard,換成 Strict 後就會觸發這個行為:

不是直接擋掉到 google-analytics.comgoogletagmanager.com 的連線,而是把 javascript 抽換掉,讓呼叫的程式碼完全不會做事。

在 Strict 模式下,除了會閹割 Google Analytics 外,也有其他的 js 會被閹割 (像是 Facebook 的),可以在 GitHub 上的「gecko-dev/browser/extensions/webcompat/shims/」這邊翻到。

這個功能很明顯在 Google Chrome 上不會內建,但很久前就有套件可以用了。目前比較常見的作法是透過 uBlock Origin 做,而且是在內建的「uBlock filters – Privacy」這組定義裡面就有實做,對應到 GitHub 上的 privacy.txt 這邊可以看到:

! Redirect to neutered Google Analytics 
||google-analytics.com/analytics.js$script,redirect=google-analytics.com/analytics.js

! Redirect to neutered Google Analytics Experiments
||google-analytics.com/cx/api.js$script,redirect=google-analytics.com/cx/api.js

不過 Firefox 上的 uBlock Origin 與其他套件也有類似的功能,真的在意的人應該早就使用了...

今天釋出的 Firefox 86 推出了 Total Cookie Protection

Firefox 86 (新推出的 standard 版本) 推出了 Total Cookie Protection:「Firefox 86 Introduces Total Cookie Protection」。

每個站的 cookie 都有獨立的空間:

Our new feature, Total Cookie Protection, works by maintaining a separate “cookie jar” for each website you visit. Any time a website, or third-party content embedded in a website, deposits a cookie in your browser, that cookie is confined to the cookie jar assigned to that website, such that it is not allowed to be shared with any other website.

然後對於需要跨站類的應用另外處理,像是 3rd-party login:

In addition, Total Cookie Protection makes a limited exception for cross-site cookies when they are needed for non-tracking purposes, such as those used by popular third-party login providers. Only when Total Cookie Protection detects that you intend to use a provider, will it give that provider permission to use a cross-site cookie specifically for the site you’re currently visiting. Such momentary exceptions allow for strong privacy protection without affecting your browsing experience.

這樣的確把 cookie 的追蹤能力壓低很多,不過應該也會有不少站台掛掉...

原來 Disqus 已經被網路廣告公司買走了...

在「Disqus, the dark commenting system」這邊才看到 Disqus 被網路廣告公司買的消息:

Disqus was acquired by an advertising company called Zeta Global in 2017. Obviously, advertising companies do everything to increase their revenue (Ex: the Big G).

引用的報導則是在「Zeta Global acquires commenting service Disqus」這邊可以看到,大約在三年前發生的事情...

基本上已經變成廣告追蹤平台了:

I analyzed the network requests log. Disqus makes HTTP requests to 11 different third-party domains through the browser. All of these websites are trackers/pixels (Even some were detected as malware by my security guard).

而且就算是付費會員也一樣,還是會追蹤:

When you provide a free product, money should come from somewhere. Disqus uses advertising for that. Now, I subscribed to a paid plan trial of Disqus to see if things change or not. No! Even in the paid plans, the same pixels are loaded on the client-side. Looks like there's no way to opt-out from tracking.

後面的推薦可以看看就好,自己架應該還是比較好的選擇... 用「open source comment system」搜有些東西可以參考。

Firefox 的 Cache Partition 也生效了

Google Chrome 實做了 Cache Partition (「Google Chrome 的 Cache Partition 生效」),Firefox 也實做的版本也進 standard 版本了:「Firefox 85 Cracks Down on Supercookies」。

In Firefox 85, we’re introducing a fundamental change in the browser’s network architecture to make all of our users safer: we now partition network connections and caches by the website being visited.

這要防禦的手法可以參考先前在「Google Chrome 要藉由拆開 HTTP Cache 提昇隱私」這邊提到的方法,主要就是共用 cache 時可以利用抓檔案的時間來判斷 (side channel information)。

這樣主流的瀏覽器都支援 Cache Partition 了...

Zoom 的浮水印功能

Hacker News Daily 上看到 The Intercept 介紹了 Zoom 的浮水印功能,以及如果你要洩密的話要如何自保:「What You Should Know Before Leaking a Zoom Meeting」。這篇文章主要不是談 Zoom 之前被討論的那些問題,而就 Zoom 的浮水印功能來討論。

Zoom 支援 video watchmark 與 audio watchmark:

依照描述的兩個方式,看起來都不難破,但主要是要提醒記者,如果要放出線人提供的 Zoom 錄音或是錄影,要注意到裡面是否有 watchmark 導致線人的資訊被洩漏:

Journalists should also be wary of publishing raw audio leaked from Zoom meetings, particularly if the source is not sure whether audio watermarking was enabled or not.

翻了一下 GitHub 沒搜到有工具可以處理,這點可能要等人發展出來...

Firefox 也打算淘汰 ESNI,改推 ECH

Firefox 也打算放棄 ESNI,改推 ECH 了:「Encrypted Client Hello: the future of ESNI in Firefox」。

目前的 85 版 (目前的 beta) 支援了 ECH draft-08,想要玩看看的人就可以測試了:

Firefox 85 replaces ESNI with ECH draft-08, and another update to draft-09 (which is targeted for wider interoperability testing and deployment) is forthcoming.

另外一個要看的當然就是 Google 家的 Chromium 了,不過這個協定對 Google 的誘因應該是超大,有機會直接穿入中國市場... 只是不知道會不會自己搞一套 protocol。

GitHub 拿掉所有非必要的 Cookie 了

GitHub 家的老大宣佈拿掉 cookie banner 了,因為他們直接把所有非必要的 cookie 都拿掉了:「No cookie for you」。

會有 cookie banner 主要是因為歐盟的規定:

Well, EU law requires you to use cookie banners if your website contains cookies that are not required for it to work. Common examples of such cookies are those used by third-party analytics, tracking, and advertising services. These services collect information about people’s behavior across the web, store it in their databases, and can use it to serve personalized ads.

然後他們的解法是拔掉:

At GitHub, we want to protect developer privacy, and we find cookie banners quite irritating, so we decided to look for a solution. After a brief search, we found one: just don’t use any non-essential cookies. Pretty simple, really. ?

是個「解決製造問題的人」的解法 XDDD (但是是褒意)

Cloudflare 改推 ECH 加密整個 TLS 的 ClientHello

Cloudflare 本來在推的 ESNI 現在變成 ECH 了:「Good-bye ESNI, hello ECH!」。

上面這張圖是 ESNI,下面這張是 ECH:

可以看出來 ECH 最主要的差異是把本來的 ClientHello 都加密包起來了,伺服器會先試著解內層的 ClientHelloInner,失敗的時候會用外層的 ClientHelloOuter:

The server completes the handshake with just one of these ClientHellos: if decryption succeeds, then it proceeds with the ClientHelloInner; otherwise, it proceeds with the ClientHelloOuter.

看得出來 ECH 的其中一個目標是讓他看起來跟一般的 TLS 連線一樣,這樣就能順便解掉 censorship 的問題...

其中一個原因應該也是因為之前中國與俄國的直接封掉 ESNI:

In August 2020, the Great Firewall of China started blocking ESNI traffic, while still allowing ECH traffic.

In October 2020, Russian ISPs such as Rostelecom and its mobile operator Tele2 started blocking ESNI traffic.

不過仍然還有分析 HTTPS pattern 的方式可以抓 (就是文章裡提的 traffic analysis),目前看起來只處理了 ClientHello 本身,現在還是有機會分析 handshake 過程來擋,必須繼續改善 ECH 的協定,讓整個流程看起來都跟一般的 TLS 一樣...

可以等著看,到時候在中國的效果如何了,會不會讓國外的各大服務直接打進去呢...

Cloudflare 拔掉使用 Cookie 分析的功能

這兩則應該可以一起看,雖然相差了兩個多月。

首先是今年九月底的時候提供隱私優先的分析系統:「Free, Privacy-First Analytics for a Better Web」,接下來是最近 (十二月) 宣佈要把 __cfduid 這組 cookie 拔掉:「Deprecating the __cfduid cookie」。

文章裡面沒有提到現在是怎麼偵測的,但我猜是瀏覽器的 fingerprint 資料已經足夠辨識了,不需要用到 cookie,這點可以參考 EFF 的「Cover Your Tracks」。

所以 privacy-first 這件事情也只是程度上而已,為了要防禦 bot,還是得正確辨識出不同的使用者,也就是說,現在不用 cookie 不代表 privacy 就高很多。不過這的確是試著在技術上努力降低疑慮就是了...

真的想要在 internet 上隱藏身份的人還是用 Tor 吧,基本上最少應該拿 Tor Browser,更小心一點應該用 Tails 這類軟體。