browser concerned that W3C "Client Hints" could be abused for tracking


  • Ambassador

    The team at Brave Browser (I've seen it mentioned on the forum many times so I know some Vivaldi users are familiar with it although I have yet to try it) are now concerned with proposals from the IETF (The Internet Engineering Task Force) and W3C (World Wide Web Consortium) to use "Client Hints" to enable websites to use "fingerprinting" to identify browsers. This will enable servers to passively identify your browser without using more common methods already available (and for the security conscious, to block). Although they do admit there being some positive aspects to "Client Hints" but they do have reservations about the fingerprinting aspect.
    For more info see the Brave Blog article.
    To see how vulnerable your browser is, (Vivaldi I hope) is to fingerprinting you can test it, or any browser, at the ELECTRONIC FRONTIER FOUNDATION's test site, Panopticlick

    Here's hoping Vivaldi will be taking a similar approach to privacy for its users.


  • Moderator

    And the proposal came from Google, what a surprise. Who would think they would do such a thing? After all there's a piece of paper on their building saying "don't be evil" so it must be true.


  • Moderator

    I fail to see the benefit of client hints. Privacy aside, I've seen that with user agents alone many Web developers can't be trusted to use that info properly, and now there are proposals to increase the amount of info offered? Oof.


  • Community Manager

    For as long as it only duplicates existing information which is available via other means, it doesn't have impact on privacy. If we disable it, websites will just use something else. They already do, in fact.


  • Moderator

    I have to disagree @gaelle, as Brave points out there are many problems with the proposal.

    It allows 3rd party to easily track users as now I can just delegate the tracking, which only makes harder to block it.

    It's purpose is entirely for tracking, the current HTTP headers are basically the minimum necessary to complete requests. There's no reason why the server needs to know what's my screen size or how much RAM I have. My RAM and processor should not even be exposed in any form as it's entirely unnecessary information. (Or now a site can't run on AMD?) And screen size is at most useful only for the JavaScript front.


  • Vivaldi Team

    @gaelle's statement does not disagree with yours. Note the part "For as long as it only duplicates existing information which is available via other means".

    Things like viewport dimensions can already be measured both via JavaScript and CSS - websites regularly use this for responsive design - but in both cases it requires a second trip to the server, which makes pages slower to load. Client hints would allow this to be done in a single request, which can be better for performance (though right now, the opt-in aspect still would make it need a second request, which defeats the purpose somewhat). The Client Hints approach itself is not a problem. It is just another way to let a website make choices about what resources to serve.

    It is worth noting that fingerprinting is always going to be possible, no matter what APIs are available. In fact, trying to prevent fingerprinting by disabling things often leads to the exact opposite effect; making you stand out more, since you no longer have a normal setup. In addition, websites typically don't use fingerprinting anyway, since it is less reliable than simpler things like cookies and local storage - while there are simpler approaches available, websites will use those instead of something that is complex and less reliable. In the vast majority of cases, fighting against fingerprinting is not only futile, it is also unnecessary, since it targets the wrong problem. What serves better is legislation to limit tracking and collection of personal data to build behavioural profiles - something you can read more about in our various blogs. That is the problem here, not the APIs themselves. This is a case where legislation actually has a much more significant effect, since the organisations that are most privacy invasive in this regard, are ones that have to abide by legislation.

    When it comes to fingerprinting, there are solutions that are better than simply disabling an API. Client hints are not just for fun, and not intended for tracking. Being able to see how much memory a device has can allow a website to make choices about whether to load the full version, or the low memory version, to allow it to work on low capability devices. Being able to see if the device has a high performance CPU would do the same.

    One solution is to limit the resolution of the data it exposes. For example, with the Battery API, most browsers limit the resolution of the data, rather than showing "99.835% charged", they round the data to the nearest 5 or 10%. The Device-Memory API is supposed to expose similarly rounded values.

    So if fingerprinting is your concern, the better approach is to make sure that all browsers expose only approximated values, and the same rounded values. Enough for the website to make choices, not enough for the website to use for identification. This only works if everyone uses the same set of approximations, so it should be baked into the specification itself - this is something that everyone, including yourself, can get involved with, in the standards committees.


  • Moderator

    @tarquin just pray that no-one builds a library that auto blocks loading if the device memory isn't 1gb or higher.

    I can see in my mind since poor misguided developer noticing that on low end devices they have trouble running their heavy Web app... Then it's downhill from there. Before you know it all the sites are mistakenly blocking all low end devices because they "might be incompatible" in the same way that Vivaldi "might be incompatible" with so many sites.


  • Ambassador

    @gaelle I am no web expert and I respect your knowledge about this topic (I did learn some HTML4, VBS, JavaScript, etc. many years ago I never got the opportunity to use it) but please consider these comments from some that know more than I... (Bold and Italics are mine)
    From Sophos Labs:
    "*...HTTP already offers a technique called proactive negotiation, which lets a server ask a browser about itself. This technique makes the browser describe its capabilities every time it sends a request, though. That takes too much bandwidth, says the IETF.

    Client Hints makes things easier. It defines a new response header that servers can send whenever they like, asking the browser for information about things like its display width and height in pixels, the amount of memory it has, and its colour depth...
    So Client Hints doesn’t seem to ask the browser for information that a server couldn’t already find by other means...*"

    And: "And, in fact, in its security guidelines for those implementing the proposed standard, the IEFT urges them not to request any information to the server that isn’t available via other means (such as HTML, CSS, or JavaScript).*
    Note that they forgot VBS that works on the 8 users of IE based browsers.

    And from Brave: "...adding Client-Hints into the browser platform would expose an additional tracking method to block and potentially make it even more difficult to maintain a usable, private Web..."

    So it depends on whether or not we just shrug our shoulder and accept whatever is imposed by IEFT and W3C, or we stand up to say we want some privacy on the Web.
    [EDIT] What we need are "Open Standards" not one which allow for surreptitious tracking of a sites users.



  • @greybeard said in browser concerned that W3C "Client Hints" could be abused for tracking:

    The team at Brave Browser (I've seen it mentioned on the forum many times so I know some Vivaldi users are familiar with it although I have yet to try it) are now concerned with proposals from the IETF (The Internet Engineering Task Force) and W3C (World Wide Web Consortium) to use "Client Hints" to enable websites to use "fingerprinting" to identify browsers. This will enable servers to passively identify your browser without using more common methods already available (and for the security conscious, to block). Although they do admit there being some positive aspects to "Client Hints" but they do have reservations about the fingerprinting aspect.
    For more info see the Brave Blog article.
    To see how vulnerable your browser is, (Vivaldi I hope) is to fingerprinting you can test it, or any browser, at the ELECTRONIC FRONTIER FOUNDATION's test site, Panopticlick

    Here's hoping Vivaldi will be taking a similar approach to privacy for its users.

    I tried that Panopticlick test, nothing bad that isn't already known through the browser like what version ,no cookies, and the Fingerprinting just gives very basic Windows info,fonts,screen size, it did say win32 instead, when its running win64


Log in to reply
 

Looks like your connection to Vivaldi Forum was lost, please wait while we try to reconnect.