Closed Bug 1816064 Opened 3 years ago Closed 3 years ago

Implement the random seed generating mechanism for randomizing browser fingerprinting

Categories

(Core :: Privacy: Anti-Tracking, task)

Product:
Core
Component:
Privacy: Anti-Tracking
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
112 Branch
Tracking Flags:
Tracking Status
firefox112 --- fixed

People

(Reporter: timhuang, Assigned: timhuang)

References

(Blocks 1 open bug)

Details

(Whiteboard: [fpp:m2])

Attachments

(4 files)

Bug 1816064 - Part 1: Implement the session key for generating the random noise key for fingerprinting randomization. r?tjr
48 bytes, text/x-phabricator-request
Details | Review
Bug 1816064 - Part 2: Implement the fingerprinting randomization key to cookieJarSettings. r?tjr!,pbz!
48 bytes, text/x-phabricator-request
Details | Review
Bug 1816064 - Part 3: Add tests for fingerprinting randomization key generation. r?tjr
48 bytes, text/x-phabricator-request
Details | Review
Bug 1816064 - Part 4: Don't generate randomization key if unnecessary. r?tjr
48 bytes, text/x-phabricator-request
Details | Review

To support adding random noises to the browser fingerprinting, we need to have a way to generate the random seed for the noises. The random seed should be consistent within the browsing session to prevent fingerprinters from canceling the noises by inspecting multiple samples of the browser fingerprint. In addition, we should generate different random seeds under distinct top-level domains to prevent third-party tracking by using the browser fingerprint.

We need to generate a new seed when the browsing session ends. It means we need to reset the seed when

  • The browser restarts
  • The private browsing session is ended
  • We can consider resetting the random seed daily to protect long-live sessions.

The random seed can be kept in the CookieJarSettings because it's tied to the top-level domain once created and remain consistent until the tab closes.

Blocks: 1816189
Blocks: 1816381
Blocks: 1816389
Status: NEW → ASSIGNED

This patch implements the session key that will be used to generate the
random noise for fingerprinting randomization. The session keys will
live in the nsRFPService in the parent process only. nsRFPServices holds
two session keys for normal and private windows respectively. The
lifetime of normal sessino key is tie to the Firefox; it resets with
Firefox restarts. For private session key, it resets when the private
session ends. i.e. all private windows are closed.

This patch adds a fingerprintingRandomizationKey to the
nsICookieJarSettings. The random key will be generated when loading a
top-level http channel and set to the cookieJarSettings. The key will
propagate to the top-level documant and all sub-documents with the
cookieJarSettings. Accessing the fingerprintingRandomizationKey will
return an error if the fingerprinting randomization is disabled.

Depends on D170603

We don't need to generate the randomization key if fingerprinting
protection is disabled. This could happen if fingerprinting protection
is disabled or exempted from normal windows. In these cases, we don't
need to generate the key, which can save us the cost of generating the
key.

Depends on D170605

Pushed by tihuang@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/68074ac5a154 Part 1: Implement the session key for generating the random noise key for fingerprinting randomization. r=tjr https://hg.mozilla.org/integration/autoland/rev/f605a7ddf950 Part 2: Implement the fingerprinting randomization key to cookieJarSettings. r=tjr,pbz https://hg.mozilla.org/integration/autoland/rev/42dd4e8f265f Part 3: Add tests for fingerprinting randomization key generation. r=tjr https://hg.mozilla.org/integration/autoland/rev/5cbc00f75b56 Part 4: Don't generate randomization key if unnecessary. r=tjr
Regressions: 1820059
Regressions: 1821545
Regressions: 1821748
Whiteboard: [fpp:m2]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: