JavaScript Errors Notifier 移除 FairShare 了

先前提到 JavaScript Errors Notifier 裡有 FairShare 的問題:「改用沒有 FairShare 版本的 JavaScript Errors Notifier」。

剛剛在 Urgent: Make javascript-errors-notifiers less invasive 這邊看到作者已經從 Google Web Store 上面的版本拿掉 FairShare 了:

And yes, it was completely removed.

另外也得到一些數字:

This decision is about -$5000 of my yearly income, but, anyway, it makes me feel better :)

Mozilla 維護的 Public Suffix List

在「域名小知识:Public Suffix List」這邊看到由 Mozilla 維護的 Public Suffix List,記錄了哪些 suffix 屬於 top-level:

  • Avoid privacy-damaging "supercookies" being set for high-level domain name suffixes
  • Highlight the most important part of a domain name in the user interface
  • Accurately sort history entries by site

所以 supercookie 阻擋機制是從這邊來的...

Google Chrome 上有大量 Extension 在追蹤個人行為

在「Chrome Extensions – AKA Total Absence of Privacy」這邊討論了 Google Chrome 官方的 Web Store 上有很多應用程式為了賺錢在追蹤個人行為:

We’ve seen some indications on Chrome Extension-forums that it’s around $0.04 per user/month.

而且因為是 extension,可以直接穿越 Ghostery 之類的防護網,於是就變得無法 opt-out。你可以利用「In order to continuously improve and maintain this software we work with」這樣的字串去找,會以發現有不少 extension 用了 Fairshare 的方案來賺錢。

文章作者呼籲 Google 要提出方案來制止這類行為,不過我覺得 Google 應該是不會做...

利用極高頻的音波跨裝置侵犯使用者隱私

在這篇看到現在已經有跨裝置的追蹤機制:「Beware of ads that use inaudible sound to link your phone, TV, tablet, and PC」。

電視廣告利用超高頻 (人類聽不到) 與手機或平板裝置上的應用程式配對,進而組合使用者的行為:

The ultrasonic pitches are embedded into TV commercials or are played when a user encounters an ad displayed in a computer browser. While the sound can't be heard by the human ear, nearby tablets and smartphones can detect it. When they do, browser cookies can now pair a single user to multiple devices and keep track of what TV commercials the person sees, how long the person watches the ads, and whether the person acts on the ads by doing a Web search or buying a product.

難以被關閉的追蹤機制,看起來就是 NSAFBICIA 之類超愛的技術。

利用 HSTS 資訊得知網站紀錄的 sniffly

看到「sniffly」這個工具,可以利用 HSTS 資訊檢測逛過哪些網站,程式碼在「diracdeltas/sniffly」這邊可以找到:

Sniffly is an attack that abuses HTTP Strict Transport Security and Content Security Policy to allow arbitrary websites to sniff a user's browsing history. It has been tested in Firefox and Chrome.

測試網站則可以在這邊看到,作者拿 Alexa 上的資料網站來掃,所以熱門網站應該都會被放進去...

主要是利用 HSTS + CSP policy 的 timing attack (有逛過網站而瀏覽器裡有 HSTS 時的 redirect 會比較快,沒有逛過的時候會因為有網路連線而比較慢):

Sniffly sets a CSP policy that restricts images to HTTP, so image sources are blocked before they are redirected to HTTPS. This is crucial! If the browser completes a request to the HTTPS site, then it will receive the HSTS pin, and the attack will no longer work when the user visits Sniffly.

When an image gets blocked by CSP, its onerror handler is called. In this case, the onerror handler does some fancy tricks to time how long it took for the image to be redirected from HTTP to HTTPS. If this time is on the order of a millisecond, it was an HSTS redirect (no network request was made), which means the user has visited the image's domain before. If it's on the order of 100 milliseconds, then a network request probably occurred, meaning that the user hasn't visited the image's domain.

由於這個技巧,HTTPS Everywhere 必須關閉才會比較準確。

STARTTLS 的不完整性以及大規模監控電子郵件

在「Don’t count on STARTTLS to automatically encrypt your sensitive e-mails」這邊提到了 STARTTLS 的問題,引用「Neither Snow Nor Rain Nor MITM ... An Empirical Analysis of Email Delivery Security」這篇論文的說明。

SMTP 裡 STARTTLS 的設計雖然可以加密,但仲所皆知,可以阻擋 EHLO 回應結果避免建立 STARTTLS 連線,而讓發送端改用傳統未加密的 SMTP 傳輸。而研究發現其實目前就有大規模的這種監控行為:

可以看到突尼西亞的監控情況遠超過想像...

目前的想法是發展一套類似 HSTS 的 Trust on first use 設計,也許在這份報告出來後可以加速催生...

改用沒有 FairShare 版本的 JavaScript Errors Notifier

在「Chrome Devtools Tips & Tricks」這邊看到介紹 Google Chrome 的 DevTools 用法說明,但讓我注意到文章最下面提到的兩個工具,其中提到了 JavaScript Errors Notifier 這個工具:

JS Error Notifier (non-“spyware” version) creates a popup each time a Javascript error is printed to the console. Unfortunately, the main version of this extension submits private “usage data” to a third-party service (see discussion in issue #28). But at any rate, this extension has helped me notice and fix several bugs.

找資料時可以發現 Hacker News 上面也有些討論:「Malware alert: JavaScript Errors Notification extension for Chrome (86k users)」。

馬上換掉...

AVG 更新隱私條款,以便能夠蒐集使用者的搜尋紀錄並且賣給其他人

在「AVG can sell your browsing and search history to advertisers」這邊整理的比較清楚:

The updated policy explained that AVG was allowed to collect "non-personal data", which could then be sold to third parties.

或是抓原文:

Do you share my data?

Yes, though when and how we share it depends on whether it is personal data or non-personal data. AVG may share non-personal data with third parties and may publicly display aggregate or anonymous information.

新的條款會在今年 (2015) 的十月十五日生效。

關於 Mac OS X 10.10 的安全建議

Hacker News Daily 上看到的,是給 Power User 參考用的建議:「drduh/OS-X-Yosemite-Security-and-Privacy-Guide」。

文章很長,所以我的建議是看過一次後把會用到的部分整理成 bash script,以後重新安裝時可以直接拿來用。