[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[New GUI] Wrapper groups

From: Libor Polčák
Subject: [New GUI] Wrapper groups
Date: Mon, 6 Sep 2021 15:59:19 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 SeaMonkey/2.53.9

Re: Development meeting minutes 23/Aug/2021
   * We discuss UI proposal
     * group wrappers by feature that the end user may want to enable,
instead of grouping by type of attack.

Hello all,

we discussed that we should revisit the groups that we have now for the new UI.

Let's start with what we have right now:

Group name: time_precision
Manipulate the time precision provided by Date and performance

Group name: htmlcanvaselement
Protect against canvas fingerprinting

Group name: audiobuffer
Protect against audio fingerprinting

Group name: webgl
Protect against wegbl fingerprinting

Group name: plugins
Protect against plugin fingerprinting
Wrappers: navigator.plugins

Group name: enumerateDevices
Prevent fingerprinting based on the multimedia devices connected to the computer
Wrappers: MediaDevices.prototype.enumerateDevices

Group name: hardware
Spoof hardware information to the most popular HW
Wrappers: navigator.hardwareConcurrency,navigator.deviceMemory

Group name: xhr
Filter XMLHttpRequest requests
Wrappers: XMLHttpRequest.prototype.open,XMLHttpRequest.prototype.send

Group name: arrays
Protect against ArrayBuffer exploitation

Group name: shared_array
Protect against SharedArrayBuffer exploitation:
Wrappers: window.SharedArrayBuffer

Group name: webworker
Protect against WebWorker exploitation
Wrappers: window.Worker

Group name: geolocation
Geolocation API wrapping

Group name: gamepads
Prevent websites from learning information on local gamepads
Wrappers: navigator.getGamepads

Group name: vr
Prevent websites from learning information on local Virtual Reality displays
Wrappers: navigator.activeVRDisplays,navigator.xr

Group name: analytics
Prevent sending analytics through Beacon API
Wrappers: navigator.sendBeacon

Group name: battery
Disable Battery status API
Wrappers: navigator.getBattery

Group name: windowname
Clear window.name value on the webpage loading
Wrappers: window.name

I see some related groups which can be maybe simplified. Let's go through the 
current groups. All proposed levels of mitigation below are supported by 
current wrappers.

time_precision can be called "Precise time measurement"
We can offer 4 levels:
off: No rounding applied
low/simple: Round to hundredths of a second (1.230)
medium: Round to tenths of a second (1.200)  - maybe skip this option to limit 
high/strict: Round to full seconds (1.000) and randomize

htmlcanvaselement, webgl can be merged into "Advanced graphics"
We can offer three levels:
off: no protection
white lies: small changes to the provided information with small impact on 
strict: limit the provided data as much as possible

audiobuffer: Audio processing
We can offer three levels:
off: no protection
white lies: small changes to the provided information with small impact on 
strict: limit the provided data as much as possible

enumerateDevices can be renamed to Audio and video input
We can offer four levels:
off: no changes
medium/keep functionality: Add 0-4 fake devices and randomize order
high/strict: Do not return any device

arrays and shared_array could form a new group but I am not sure on the name so 
that an uninformed user knows when to edit the setting
We can prevent three levels of protection: off/simple/strict

geolocation can be renamed to Real-world location
We can offer following levels:
precise location: no inteferrence
small: Either "Use accuracy of hundreds of meters" or "Use accuracy of 
medium: Either "Use accuracy of tens of kilometers" or "Use accuracy of hundreds of 
do not provide: "Turn location services off"

We can keep gamepads and virtual reality (VR) separate but from reading the 
docs it seems that VR depends on gamepads. On the other hand using gamepads 
does not necessary mean that I want to offer information on VR. Do we want to 
provide such relation? How to represent them in GUI?
We should provide on/off levels

analytics can be called analytics or we can rename to Beacons or do you have a 
better name?
We should provide on/off levels

I am not sure about what to do with the following:

* webworker - how to explain to a user without detailed knowledge? We implement 
two counter-measures
* hardware, plugins, battery - how many group do we create (1/2/3?), how to 
explain to a user without detailed knowledge?
* windowname - on/off, how to explain to a user without detailed knowledge?
* xhr - I do not know if we want to keep this wrapper. It does not prevent the 
page form using Fetch API, RTC and other methods.

If you have better ideas, please share.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]