user.js icon indicating copy to clipboard operation
user.js copied to clipboard

Published 20 hours ago verified publisher icon arkenfox

network.preconnect [1861889]

Open Thorin-Oakenpants opened this issue 2 years ago • 12 comments
trafficstars

should we?

  • https://bugzilla.mozilla.org/show_bug.cgi?id=1861889
  • https://github.com/uBlockOrigin/uBlock-issues/issues/2913
  • network.preconnect

class, discuss!

Thorin-Oakenpants avatar Oct 31 '23 06:10 Thorin-Oakenpants

@pierov - is this something we should do by default for MB?

Thorin-Oakenpants avatar Oct 31 '23 08:10 Thorin-Oakenpants

is this something we should do by default for MB?

Let's see how the upstream Bug evolves, for me

PieroV avatar Oct 31 '23 09:10 PieroV

@PieroV ok, I'll try again .. the bug is web extensions, but if we're going to ship that in uBO, why not save computing power and any future potential bugs/regressions by setting the internal browser pref

Thorin-Oakenpants avatar Oct 31 '23 15:10 Thorin-Oakenpants

Yes, we could do it, but I don't know if I am the right one to explore this preference (well, at the moment I'm working on other stuff). I've opened https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42233 and I'll let richard triage it.

PieroV avatar Nov 02 '23 09:11 PieroV

https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/rel/preconnect

Thorin-Oakenpants avatar Nov 02 '23 15:11 Thorin-Oakenpants

Open about:url-classifier and enter http://www.google-analytics.com

URL: http://www.google-analytics.com is in the list of tables: base-email-track-digest256 analytics-track-digest256

And I also see DNS requests to google-analytics.com

Set network.preconnect=false

No DNS requests to google-analytics.com

mik0l avatar Nov 03 '23 15:11 mik0l

Where is the privacy issue with DNS requests for blocked domains?

rusty-snake avatar Nov 03 '23 15:11 rusty-snake

well ... it is a "thing"

  • Title: Hide and Seek: Revisiting DNS-based User Tracking
  • Date: June 2022
  • link: https://ieeexplore.ieee.org/document/9797362
  • PDF: https://bpb-us-e2.wpmucdn.com/faculty.sites.uci.edu/dist/5/764/files/2022/04/eurosp22.pdf

I haven't read it. I'm not super qualified to assess this issue - my thoughts were tor protects, but MB (and AF) by default doesn't have a VPN, so I lodged this issue to drink about it, and push it on pierov 😁 who then pushed it on richard 😀

Thorin-Oakenpants avatar Nov 03 '23 17:11 Thorin-Oakenpants

As I understand this paper (second link), the attacker who wants to track me is the operator of my DNS (LAN Admin, ISP or Cloudflare-DNS/Google-DNS/...) or someone who compromised my DNS. The operators of the sites I visit (example.com, google-analytics.com, ...) can not track me (that way).

So let assume that I do not trust my DNS and it is an actual threat in my threat model. Then my DNS can track that I first visted google.com, then example.com, followed by depressions-help.net. But it can not see that example.com uses google analytics.

TL;DR: DNS-based User Tracking is a thing. Is DNS-based User Tracking of tracking domains a thing?

rusty-snake avatar Nov 03 '23 18:11 rusty-snake

I see in about:networking that ssl.google-analytics.com is not blocked at all:

ssl.google-analytics.com 443 HTTP/2 true 1 0

mik0l avatar Nov 03 '23 18:11 mik0l

Can be some exceptions because of a broken site or behind-the-sence or from a restrictedDomain (where addons are not allowed). If you can narrow it down. Maybe uB logger or Browser DevTools.

rusty-snake avatar Nov 03 '23 18:11 rusty-snake

network.preconnect=true is meant to do dns+tcp+tls (uB0 blocks the last 2) regardless of other prefetching settings according to chrome implementation and firefox currently works the same.

c3d1c06c-bf26-477e-b0eb-c50ef4477ba6 avatar Nov 03 '23 18:11 c3d1c06c-bf26-477e-b0eb-c50ef4477ba6