Simple questions

[Decopi]

Quoting from the author:

"We evaluated our extension with two hardened browser configurations, and found that blocking 15 of the 74 standards avoids 52.0% of code paths related to previous CVEs, and 50.0% of implementation code identified by our metric, without affecting the functionality of 94.7% of measured websites."

Please, I have the following simple questions:

1. What does it mean in quantitative terms for the real word? In other words: How many security/privacy attacks occur today in the real world (based in APIs exploits/malwares/virus/hackers etc)?
   I ask for 3 reasons: a) I don't see adds-on or security software worrying about APIs; b) I can measure the risk of exploits/malwares/virus/ransomware/hackers etc, but I don't have quantitative info about API security breaches; and c) WebApiManager is a must for privacy. But I still don't understand the size of security benefits (for the real world). Obviously I understand that attacks could happen trough APIs. My point is that I don't know if today this is happening often or rarely.

2. Even in the hypothetical case that today API security breaches are not often in quantitative terms for the real world, what about the future? It could be a trend? Are attackers trending to use APIs for hacking etc?

3. Does WebApiManager increase browser performance? Decrease? No changes?

Thank you very much!

[jawz101]

Just my ignorant opinion but when Google joined the W3C they submitted a bunch of standards that really benefit them to persist connections, make Chromebooks that basically run a browser as an operating system (so they would need standards that let them hook in and read your battery level, ambient light, create pop-up notifications, attach USB devices, scan for Bluetooth devices, and so on.)

We really don't need all of that to actually display a webpage but they market it as "the modern web." No one actually uses any of that junk for old-fashioned web pages but analytics and ad companies leverage the extra technologies to do random stuff that let them load essentially the code of a complex analytics machine that can create databases, record your actions, crunch numbers, and send results back to them...all inside the confines of your browser.

Here I turned off all tracking protection and other privacy add-ons. Then reloaded the page a few times before testing:

with WebAPI-Manager off

with WebAPI-Manager on (with the settings I use)

[pes10k]

Thanks for your questions!

1. Its difficult to measure this, and a bit it matters what counts as a "security/privacy attack". If you include canvas fingerprinting, font enumeration (using SVG, CSSOM, etc.), using SVG to fingerprint based on CPU performance, using WebRTC to leak IPs, etc, then these attacks are extremely common, and code for them is available everywhere on the web.

If you mean attacks that are in the "academically interesting, but we don't know if people use them" category, things like fingerprinting a user based on the Device Orientation, or Battery level, or ambient light, Web Audio, or (1000 others), then we know they're possible, but its hard to say how frequently they happen.

This is the same for attacks that use high resolution timers (or similar Web API standards that allow a page to get very high resolution timing information out of a page, like WebVTT, Performance Timers, etc) and things like Fetch or WebGL to breakdown process / tab isolation guarantees. These things have been shown to be possible, but I do not know whether they're done "in the wild".

On the other extreme are things like drive by downloads (and the kind of exploits that win Pwn2Own) that use implementation errors in these code bases. I have no intelligent guess how often these attacks are used outside of targeted attacks, but the existence of CVEs detailing exploitable vulnerabilities in Web API implementation code is proof that users have been vulnerable to attacks in the past (and presumably, still are, from exploits that'll be documented in future CVEs).

So, all that is to say, its difficult to say precisely (at least given the work I've done so far), but the most accurate I can say so far is "more than a little" :)

Also, of possible interest, might be the white paper that the Tor Browser folks commissioned a while ago on the vulnerabilities related to (and their motivations to restricting) access to the Web Audio, SVG, WebRTC and WebGL standards. They didn't do the same kind of analysis for other Web API standards, but they found that there was non-trivial risk to leaving them enabled.

2. I expect that, at least in privacy attacks, this will be a bigger concern, as browser vendors tamp down on the simplest forms of cookie based tracking (e.g. Apple's cookie management in new versions of Safari, Firefox's private browsing modes seem to be moving in this way too, etc.). I'm certain that advertising / tracking parties will increasingly move to other ways to fingerprint and identify users (and that those ways will most of the time rely on semi-esoteric Web API features).

3. Depends! There is a (small) fixed cost to instrumenting the DOM for each page load, but that fixed cost may save you a lot of cycles that'd be spent on the standards you've blocked. So, whether the fixed cost instrumenting cost >> the saved Web API use cycles will depend on what you block, and what each page wants to do.

[jawz101]

I'd like to see if I can figure out the Bluetooth API. I imagine that's becoming popular with Google and Facebook at least. What with Google's Physical Web and their EddyStone Bluetooth Beacons send stuff to your Android Google Chrome browser it is just more attack surface.

Here's a good marketing spiel:
https://www.youtube.com/watch?v=1yaLPRgtlR0

Some guy playing with his Bluetooth beacons
https://www.youtube.com/watch?v=ZX8POs89TBU

It seems like the past few Bluetooth versions keep adding new profiles and specs to support low energy scanning and advertising. You may be interested in a low-power smartwatch connection but the other reasons for the interest in low energy is ability to put little plastic thingies all over a store and send you links to popup coupons or target ads as you surf the Internet when you get home.

[pes10k]

@jawz101 I think adding the bluetooth API is a great idea to the set of watched / managed standards, that'd be terrific!

Could you open an issue for it? I'd happily accept a PR for it over there

[jawz101]

I'm about to get to that step. I need to learn how to set up the way to build add-ons so I can test unless you'll take files I just edit on here. The whole version control system and building add-on thing looks like a pain.

[pes10k]

Sounds good, but lets move this conversation to a new issue, since I don't think its directly relevant to the main topic here. If you open an issue for the Bluetooth API, I'm happy to help however i can over there. :)

[Decopi]

@jawz101 thank you for your answer.

I am not sure that measuring one single page, it will answer my question #3. But again, thank you for the try.

Changing subject, please answer me if you want:

1. What are your WebApiManager' (WAM) settings?
2. Do you use WAM for privacy? Or for security? Or for both?
3. What other privacy/security adds-on do you use?
4. Is WAM complementing or overlapping your other adds-on?

I believe WAM is a must for privacy.
I understand WAM has benefits for security. But I am trying to understand the level of benefits in security considering the following equation:
a) RAM consumption/browser performance in general
b) Overlapping with other adds-on (UMatrix blocks most of the unnecessary stuff, therefore already blocks APIs use)
c) Use of WAM in real world (the wild) against security breaches
d) Level of APIs danger compared with other dangers/risks (JAVA, Flash or conventional malwares/exploits/ransomware etc)
Any thoughts on that?

[Decopi]

@snyderp many thanks for your answers!

I totally agree with most of your comments. But just about:

... my #3 question: Yes, I understand that performance will depend on each webpage. But I thought that perhaps you already tested, let's call it a kind of "informal average perception", about WebApiManager' (WAM) performance. I read your interesting articles, you did a lot of test, so what is your "informal average perception"? For example, those 90% of webpages that worked fine with 15 APIs (standards) blocked by WAM... browser performance was better? Worst? No change?

... Tor Browser: In my opinion is not a comparison parameter, because is focused in privacy. I believe that when we talk about trends, we should compare with most used browsers. And as I said, I don't see in the market a lot of adds-on or security/privacy software focused in APIs. This open a doubt in my mind, about WAM use in the real world, the wild. But as you answered my #2 question, I tend to agree with you that APIs (standards) might transform into a increasing risk. Exploits and ransomware are a good example, that new attacks could appear from anywhere at anytime. In this context, WAM seems to me more proactive, avoiding potential dangerous attacks. In the worst case, WAM is another great security layer.

My guess is that WAM is going to evolve.
I believe first we are going to see a kind of WAM layout evolution. Perhaps into a kind of matrix, allowing a more friendly granular control of active APIs in each webpage. Each page only with its active APIs.
Also, an enable/disable switch will be nice. Temporary rules, idem.
In a second stage, I believe WAM will evolve to new controls, functions, filters etc.
In brief, my guess is that WAM will grow becoming, not just a complementary, but an indispensable add-on.
Hope I am right lol :)

I liked WAM.
I already wrote my review giving you 5 stars. But again, congrats and thank you!

[jawz101]

It was on Firefox Nightly, no other addons, Tracking Protection turned off in Firefox's Privacy and Security tab... I just wanted to see what that one web page contained. You'd be surprised how many extra domains you visit besides just the one you visit. I picked androidpolice.com because it's particularly full of 3rd party bloat. Another addon you can try is Firefox Lightbeam to see how many 3rd party sites you connect to on a single page. Or uBo Scope works in both Firefox and Chrome

you should be able to import this into the import window

[{"pattern":"(default)","standards":["Ambient Light Sensor API","Battery Status API","Beacon","CSS Conditional Rules Module Level 3","CSS Font Loading Module Level 3","Console API","DOM Level 2: Traversal and Range","DOM Parsing and Serialization","DeviceOrientation Event Specification","Encrypted Media Extensions","Gamepad","Geolocation API","Geometry Interfaces Module Level 1","HTML: Broadcasting","HTML: Channel Messaging","HTML: History Interface","HTML: Plugins","HTML: Web Sockets","HTML: Web Workers","High Resolution Time Level 2","Indexed Database API","Media Capture and Streams","Media Capture from DOM Elements","MediaStream Recording","Navigation Timing","Page Visibility (Second Edition)","Payment Request API","Performance Timeline","Performance Timeline Level 2","Performance Timeline Level 2","Pointer Lock","Proximity Events","Push API","Resource Timing","Scalable Vector Graphics (SVG) 1.1 (Second Edition)","Screen Orientation API","Service Workers","Shadow DOM","The Screen Orientation API","Timing Control for Script-Based Animations","UI Events Specification","URL","User Timing Level 2","Vibration API","Web Audio API","Web Notifications","Web Speech API","WebGL 2.0","WebGL Specification","WebRTC 1.0: Real-time Communication Between Browser","WebUSB API","WebVR","WebVTT: The Web Video Text Tracks Format","execCommand"]}]

2. First, I'll say the other reasons. It saves data, lowers webpage overhead, removes distracting web content, and especially, with today's quality of content, I'd rather not incentivize some sites.

As for privacy vs. security: both. I think privacy is an outcome of security. Whether I get data taken from me because of a security vulnerability or because I consented to some small fine-print in a Terms of Service, if I cannot see what is taken from me in real-time, that's not fair to me. Consent to my private data shouldn't mean free reign to pull it over encrypted channels that I cannot view myself.

3. I use a few built-in browser features
   tracking protection and disable 3rd party cookies
   about:config preferences to tighten security a little

...and then I use a mixture of addons.
Sometimes I use uBlock Origin, Decentraleyes but I don't always like the idea of blocklist-based blocking. They contain blocking rules for old domains, domains I'll never visit, and don't cover what new tracking companies come out with until after the fact.

I'd prefer add-ons that either learn from your browsing habits or strip functionality out completely because they'd hopefully be lightweight and also catch new stuff. Add-ons such as Privacy Badger (learns), NoScript (train it yourself), WebAPI Manager (strip stuff out completely).

4. This is tricky. If I visit androidpolice.com and that domain contained code on their domain to look at my Ambient Light Sensor data, for example, it would block androidpolice.com from reading my Ambient Light Sensor but also any 3rd party domain that may also pull that stuff. Everyone is blocked.

NoScript could be prevent that from happening as well as any other resources that domain might load. It's like not letting the door open in the first place. uBlock can do the same thing as NoScript in that regard but it mainly works off of blocklists maintained by volunteers. Their blocklists will try to carve out the exact piece of tracking code on a 3rd party site but still may let it load, say, images from that 3rd party.

Web pages load HTML which could contain pictures and words and scripts made by them, but then to make money, they throw in some code that 3rd party scripts that can execute code to load a 3rd party ad that also contains its own scripts which try to display an add and read your proximity, scan for Bluetooth devices or whatever.

Imagine if your computer has Bluetooth and your phone has Bluetooth and you visit the same web pages on each. Each device uses the Bluetooth API and scans for nearby devices. Now they know that computer and phone are probably owned by the same person. Lets say they use the Sensor API to monitor the gyroscope, accelerometer, light sensor, and barometer. And I have GPS turned off. Well, it's sunny out here right now and at some point the sun will go down. That happens for my timezone. My barometer in my phone could tell them the air pressure where I am. The motion sensors tell them I'm driving or walking, or sitting on my ass. You may get a good idea where I am and what I'm doing, how fast I type. All sorts of junk. And then I'm signed onto Google on my phone, they put all of this together and sell it to someone with a unique ID or whatever to serve me more junk.

And there are this many companies doing that right now. They have little bits of code on their sites with instructions on how to tell a website developer to add a few lines of their code to start the process. The web developer signs up for an account with that agency, puts in their mailing address, adds the code to their website, and collect a paycheck.

This guy makes a poster to show how the number of companies that offer monetezation services has increased every year.

http://chiefmartec.com/2016/03/marketing-technology-landscape-supergraphic-2016/

Some focus on sensor data. Others on other stuff. Even with an ad blocker they will try to identify you with all of these other capabilities of your browser or other devices.

[jawz101]

If you're just starting down this road :) I'd start by installing that Mozilla Lightbeam to get a good visualization of how many 3rd parties 1 single site fetches from to display that one single web page. And then visit another web page. And a few more. Then see how they start sharing the same information with one another. That's where the tracking begins.

[Atavic]

• If you use Tracking Protection or SafeBrowsing you're tracked: Firefox connections on about:blank page pyllyukko/user.js#20

• Note how Content delivery networks are on most sites, easily tracking your habits through the sites you visit, you can bypass most of them with decentraleyes

[jawz101]

@Atavic yeah, I've looked at each of those features, read about the rationale of them, tried them off and on, and at some point I flip flop on what I want to choose. I'm fine with malware and tracking protections out of the box, and OCSP certificate validation.

I'm also fine with submitting telemetry and crash reports because they're for the sake of the product. They're not really privacy or security concerns, in my mind. From an "I want my browser to be as quiet as possible" or that something else is already doing that exact same thing for me"

That profile is a bit too extreme for me but I'm glad they question everything.

[Decopi]

@jawz101 ,what a good detailed answer! Thank you!
I agree with most of your comments. But we must analyze WAM taking into account other existent privacy/security adds-on.

For example, please let me share my case. I am using UMatrix (3rd-parties blocked, cookies/frame/other globally blocked, and no hosts files for the same reasons you pointed). So, I am not surprised about the tons of extra domains you mentioned. My UMatrix’ settings block almost all the garbage, without breaking 90% of the webpages I use to visit everyday. However, I have not the paranoid profile and I have great concern with performance, so I hate adds-on overlapping. That’s the reason I use just plain UMatrix for privacy/security (no extra ad-blockers, anti-trackers, hosts, cookie managers etc, not even built-in tracking protection/SafeBrowsing etc). I don’t like to mess with the "about:config" for security/privacy, because always creates me lot of incompatibilities.
I did many test comparing lot of security/privacy adds-on, and my personal conclusion is that UMatrix is not perfect, but presently is the most complete security/privacy add-on, with great performance/less system browser impact.
My UMatrix’ settings left me to worry just with a small group of 1st-parties webpages. Most of them, I totally accept tracking/ads etc. I repeat, I am not paranoid, so I understand that these websites need cookies, tracking, ads and nasty stuff for functioning. And I don’t really have great concerns about security with this wepages, because I have external security software (for paranoids, Bitdefender has a nice add-on for online browser security, very lightweight and efficient).

In this context, today I am evaluating WAM.
Considering that my UMatrix is blocking most of the garbage, then APIs remain untouched by this garbage.
So in my case, WAM is taking care of privacy issues that my UMatrix’ settings don’t (and I am very happy with this!!!!!!). But regarding WAM and security issues, I don’t know. This is what I am trying to learn and understand here in our conversation. I read Peter’ articles and I read the answers here to my questions. But having UMatrix already blocking most of my stuff, I still need some time with WAM, to understand the complementary security benefits working along with UMatrix (or other adds-on). I can brief my WAM ignorance, by saying that I am interested in learn and understand WAM security benefits when WAM works with other security adds-on.

Perhaps in a near future, with a WAM’ evolution, allowing more granular control, more filters etc, the picture of WAM security benefits will be more clear in my case with UMatrix.

Again @jawz101, thanks a lot for your detailed answer.

PS1: My default WAM’s settings are “block all”. Only when I find a webpage breaking, I use the other preset categories (Lite, Conservative, Aggressive). I prefer to wait for future WAM’ versions, in order to customize webpages with individual settings. The present WAM' layout is not friendly for me.

PS2: As you, I also prefer adds-on that either learn from your browsing habits or strip functionality. The problem is that PrivacyBadger blocks only 3rd-parties trackers, and even at 3rd-parties misses a lot (there is a study comparing blocking rates). And the other adds-on, are terrible in RAM, performance, system resources impact etc. Even Ghostery or Disconnect are much worse in performance than UMatrix. About NoScript, in my opinion is unpractical, in the sense that breaks everything for working.

[Atavic]

For a good example of integrating various webextensions: arkenfox/user.js#211 (comment)

You can add WAM to it.

[Decopi]

@Atavic , today I tested "SriptSafe" (SS).
It is the first time I see in just one add-on, a kind of fusion of the most important other security/privacy adds-on over there. It has a bit of UMatrix (UM) and even a bit of WAM (offering to block APIs).

Independently on my doubts about WAM security benefits working along with UM, WAM is a must for privacy.

However, SS offers a second alternative to UM + WAM, by presenting a kind of all-in-one add-on. I am not saying that SS is better than UM + WAM (the choice is up to each user). But, I am saying that perhaps all-in-one add-on, could be better in terms of performance, less system resources, less incompatibilities issues etc.

I read the link you posted (thank you), and many comments there talk about adds-on overlapping of functions, and also about lot of incompatibilities issues (NoScript + UMatrix/Ublock + Ghostery etc). It seems that sometimes as long as we add more and more adds-on, not only we consume more RAM and performance, but also we create more incompatibilities.

I will keep UM + WAM (for privacy).
But also I will keep SS for a while, learning and comparing which one is the best alternative for me.

In my case, as I mentioned in previous comments, the winner will be the add-on with the most friendly granular control offered. If WAM evolves in this way, it will be a must for me not only for privacy but also for security.

PS: I asked to add WAM to GHACKSUSER list of recommended adds-on.

[jawz101]

Well, I've liked NoScript on Firefox and ScriptSafe on Chrome. Now NosScript can do uMatrix granularity but the interface turned to garbage. I've actually have a post on their forums with this design proposal and someone else on the forums did a mockup incorporating some of the ideas here.

In the end, if NoScript gets a facelift and works out some of the kinks I'll switch back to it. Right now it's uBlock Origin in medium mode + Decentraleyes + WAM + Privacy Badger but I will switch out the uBlock for NoScript if it gets better. ScriptSafe is the most usable interface though it is so feature-packed you have to tinker some.

Plus, I'm looking for ones that work on both desktop and Android. ScriptSafe doesn't so far. He's still working on the differences between Chrome and Firefox.

[Decopi]

@jawz101 nice your NoScript design proposal.
I hope you will have same inspiration for a WAM design proposal.

NoScript is a good example that a great and powerful tool may become garbage, if it is not friendly for users.
As I said, today WAM is great. But my guess is that a granular control, a kind of UMatrix control, with a "y" axe (columns) showing domains/sub-domains, and a "x" axe (rows) showing APIs, in my personal opinion it will increase security, just because it will be a more friendly approach for users, allowing to easily customize block/unblock active APIs per webpage.

Today with WAM, I personally can't make a webpage customization, with a plain list of 80 APIs. So sadly, I can't take full advantage of WAM, and it remains a limited privacy tool for me. Google page is a "real world" example, where I need to "allow" all in WAM, in order to unbreak the page. I just can't sit hours testing each API.

Who knows, you will have great ideas for a WAM design proposal.
If I am right in my "user logic", a more friendly granular WAM control, will result in more privacy/security WAM benefits.