Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Double-keyed connection pools #917

Open
sleevi opened this issue Jul 16, 2019 · 7 comments
Open

Double-keyed connection pools #917

sleevi opened this issue Jul 16, 2019 · 7 comments
Labels
security/privacy There are security or privacy implications topic: anti-tracking topic: connections

Comments

@sleevi
Copy link

sleevi commented Jul 16, 2019

Related to #904, the idea here is that user agents make connections conditionally based upon not just the destination origin, but on the initiating/'top level' origin.

For UAs that implement #904 for privacy-preserving reasons, failed to also implement the same for connection pools allows for the easy re-establishment of identifying information.

Consider a UA that sets credentials to false for third-party requests, for privacy reasons, and allows credentials to be defined based on the credentials mode otherwise.

  • When the UA visits https://a.example, and https://a.example attempts to load https://b.example/tracker, the parameters for the connection to b.example are { "https://b.example", false}.
  • When the UA visits https://b.example as a navigation, the parameters for the connection to b.example are {"https://b.example", true}.
  • However, b.example can use the local storage it has (e.g. LocalStorage, cookies, etc) and can initiate a request with the fetch() credentials mode of omit, for https://b.example/setUserId?id={some identifier}. This connection will be initiated as {"https://b.example", false}.

If the connection is reused between the fetch in the context of a.example and b.example, then the information from b.example may be linkable on the server to the request in a.example, and may even be used to set responses or storage in the context of a.example (e.g. a response that a.example then uses to set an a.example cookie for b.example's ID)

Broadly speaking, partitioning the HTTP cache, as described in #904, can not be reasoned to have any privacy-enhancing properties in the absence of also partitioning the connection pool on the same key. Any collapsing of key or state between the fetch and the connection, from something finer grained to something coarser, ensures that the finer-grained separation cannot be reasoned to actually work.

@annevk
Copy link
Member

annevk commented Aug 7, 2019

I think it makes sense to do this for anti-tracking purposes and Firefox will likely do this. This should be relatively straightforward to add once #904 is fixed.

Note that the partitioning of the HTTP cache has another motivation, namely thwarting XSLeaks-style of attacks (except for those through popups, sites will need to use COOP to thwart those). Those seem slightly less applicable here, though perhaps timing attacks on connection setup are feasible? (There is also a connection exhaustion attack, due to there being a global limit.)

@annevk annevk added security/privacy There are security or privacy implications topic: anti-tracking labels Aug 7, 2019
@sleevi
Copy link
Author

sleevi commented Aug 7, 2019

Correct. We are aware that you can use resource exhaustion - including at the OS level - to mount XSLeaks-style attacks. This does not mitigate such attacks.

@shivanigithub
Copy link
Contributor

/cc @MattMenke2

@MattMenke2
Copy link
Contributor

Worth noting that in addition to socket pools (including proxy connections), other things that need to be double-keyed:
SSL/QUIC session caches, H2/QUIC sessions, reporting (Need to key information on where to report, and reports to upload, and then use the key when uploading the reports), everything that feeds into reporting (expect-CT, for instance), and alternative service info.

Also related network stuff at a slightly higher layer: CORS requests and CORS cache (Chrome has a separate cache above the network stack for CORS responses, at least), and origin policy cache/fetches.

@MattMenke2
Copy link
Contributor

MattMenke2 commented Sep 27, 2019

Also, auth credentials and client certs. Sure I'm still forgetting stuff.

Edit: We'll presumably share credentials for proxy auth.

@sleevi
Copy link
Author

sleevi commented Sep 30, 2019

@MattMenke2 It's unclear if we should use this bug for that, or treat them separate. When I suggested making #904 the bug for this, @annevk requested I split this out, to keep it narrowly focused. I appreciate that, and I wonder if it might make sense to similarly treat that separate here. At least within the Fetch mechanics today, we don't necessarily have infrastructure for all these other bits, or the implications that might be specific to each one.

@annevk Would you rather this be a catch-all bug for (double, triple)-keying for privacy, or keep this narrowly focused? Should we be creating a meta-bug for each of the keyed caches?

@annevk
Copy link
Member

annevk commented Sep 30, 2019

I'm okay trying to capture all the connection-related bits at once, but also fine with splitting them. Alt-Svc is another.

annevk pushed a commit that referenced this issue Aug 6, 2020
Extend the HTTP cache partitioning logic to partition the connection pool as well and introduce the network partition key as a shared primitive. There is still work remaining for various other network caches that is tracked by #917 for now. See also https://privacycg.github.io/storage-partitioning/.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
security/privacy There are security or privacy implications topic: anti-tracking topic: connections
Development

No branches or pull requests

4 participants