Jeffrey Paul: Browsers Are Stuck In The 90s

Jeffrey Paul

Browsers Are Stuck In The 90s
30 March 2019
( 1301 words, approximately a 7 minute read. )

Context

Browsers have become wickedly intelligent in many ways, with the notable exception of methods that would protect your privacy. My operating theory is that due to the best (most secure and most widely used and most extensible) browser being produced by a company that generates a tremendous amount of revenue from selling targeted advertising on the web, there is little incentive to fix this particular problem.

A Meandering Aside About Google Staffers

I mean “little incentive” in a very literal sense; I generally try very hard to avoid the American habit of using euphemisms to say one thing but through convention so strongly imply another thing that that implied meaning is actually the new practical definition of the term (e.g. “didn’t do the best job” now almost always literally means “did a shit job”). There are many people at Google who do at least moderately respect user privacy; I am told that the Google Front End (GFE) reverse proxy server shares either the IP (if logged out) or the logged in user identity with backend services, but not both, to prevent easy tracking of what a given logged-in user does when they are logged out via IP correlation. (This may also be out of date information, I learned this some time prior to 2015.)

That said, I meant it: they don’t have much incentive. The point of this section is that there may be a possibility of simply adding the incentive that these features get built into Chrome. Google APIs unrelated to tracking are built into so much of the web now that they would likely receive a significant fraction of their tracking data via other means. Some people there actually do care about privacy, and some actually do care about building the best browser and innovating in the browser space, ad-business-be-damned.

(It’s sort of like how Apple used to not care if you used their application software or services or not as long as you bought their hardware. Remember those days? Those were great days.)

Some Free Advice

Anyway, let’s take a moment to sidetrack and say that if you are not using Chrome with µBlock Origin in grey- or whitelisting mode when you browse the web, you should be. Denying all third party (3P) requests by default on a webpage (with the ability to greylist (allow but filter out known ads/tracking) 3P resources on a per-source-domain basis with a click) is amazing. The interface is extremely confusing but the documentation is decent; consider spending 30 minutes concentrating on their docs to learn it. It is Worth It.

That said, much of this functionality should be built into a browser, or provided in a default extension that comes with it.

The Core Of This Post

Things a browser should do or not do by now, in 2019:

  • It should not ever store third party cookies from known ad tracking sites and domains.
  • It should not store third party cookies from non-ad-tracking sites and domains beyond a user-configurable automatic interval (“on browser/window close” is the dumb and naive solution).
  • It should not send a User-Agent HTTP header.
  • It should not send a Referer HTTP header.
  • It should not expose device accelerometer/gyro or battery level information without an explicit per-site opt-in, such as those used for geolocation.
  • It should ignore the autocomplete=off attribute on all sites by default. Sites that want to disable autocomplete should pop up a consent dialog for the user to permit them to disable it—iff the user wishes.
  • I shouldn’t have to say this, but it should not disable seeking controls in a system video player simply because a webpage asked it to. (Here’s looking at you and your un-fast-forwardable ads, MobileSafari!)
    • (Spot the consent-of-the-user theme yet? Your browser software is running on hardware that belongs to someone else, vendors.)

These are all pretty much obvious to me, basic MVP table stakes for a modern browser. The fact that these are not incorporated into modern browsers seems insane. There are a few more which are plain add-on features which take the concept further:

  • It should crowdsource user configurations for given popular sites, to know which 3P resource domains should be greylisted. Out of the box it should block 100% of nonessential 3P resources for the top thousand websites (without breaking rendering).
  • It should incorporate software U2F with encrypted cloud storage of the token.
  • It should offer the option to sync cookies for certain sites across all of your devices. (Browsers do not presently sync cookies but given proper security controls (e.g. clientside passwords, 2FA for sync services) then they absolutely should in some cases.)
    • (Yes, I have read the usual rationale for why browsers don’t support this, but it doesn’t really hold water. If you have a compelling argument as to why it would actually break things if we let users choose sites to sync cookies across devices, let me know; it would be news to me.)

Mozilla

To be honest, I’m really surprised that Mozilla goes to all the length to maintain their own rendering engine, when the relevant majority of Chrome is open source, including the results of vast (I’m serious—we’re talking double-digit millions+ of USD) security research and hardening invested into it by Google. With or without Firefox, Mozilla or a similarly-minded company should be maintaining a fork of Chrome with these features built in.

Before you suggest Brave: don’t. Aside from being founded and run by a notorious anti-gay bigot who got kicked the fuck out as CEO of Mozilla (for being a bigot, no less), the actual product itself is designed to show ads. Lately they have taken to fraudulently accepting donations for sites that they don’t run and with which they have no business relationship (further discussion here). Their product story has changed a bunch of times, and despite trying to follow it, I still can’t make heads or tails of whether it’s supposed to pay you for looking at ads, pay you for your attention while blocking ads, or let you tip websites using cryptocurrency—and not one of these features requires building a dedicated browser versus just a browser plugin. (And what the actual fuck is up with browser plugins not working on mobile devices?)

None of the items above related to user privacy are aligned with the incentives of a company who profits when you are shown ads, as ad targeting maximizes that revenue and ad targeting benefits immensely from knowing as much specific information as possible about the user receiving the ad.

Unrelated

This post was somewhat inspired by the fact that Google finally added a feature to Chrome I was suprised took so fucking long: it now supports U2F without a hardware token! When enrolling a new hardware token (I have many) in Chrome 73.0.3683.86, I was prompted to use a Touch ID auth to add one (even without external add-on hardware present). I am curious if this is Chrome’s software U2F implementation with the long-term keys stored on disk protected by a Touch ID/Secure Enclave wrapping key, or if the Secure Enclave is actually being used to store the U2F keys themselves.

In Closing

Someone should fork Chrome and maintain a small set of privacy- and security-protecting features while putting in the effort to continuously pull in all of the other product and security improvements Google is spending tons of money to research, design, and implement. Chromium isn’t it. What’s the point of it being open source, otherwise?

Feedback

If you agree, disagree, or think someone should yell “but Privacy Badger already does all of this, you fool” at me, please don’t hesitate to drop me a line at sneak@sneak.berlin.

About The Author

Jeffrey Paul is a hacker and security researcher living in Berlin and the founder of EEQJ, a consulting and research organization.

@sneakdotberlin

@eeqj

sneak@sneak.berlin

keybase.io/sneak

linkedin.com/in/jeffreypauleeqj