-
Notifications
You must be signed in to change notification settings - Fork 214
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Identifying the noisy topics #75
Comments
My understanding here is that there is a fixed process that occurs in any given top-level browsing context.
The process would use a PRG as its random source with the seed being determined by the top-level site identity and epoch1. As a result, all third-party content would draw the same random values. The only difference in the result would be that genuine topics would not be seen by a site that wasn't able to witness that topic (the bit in italics). So yes, this would result in only the random topics being shown to the unique site (your "attack endpoint", though I would frame all sites as attackers here), which could then inform other sites which topics were random. There is a low probability of a random topic also being genuine, meaning that this trick could filter out those topics, but that is low enough a chance to disregard. An attacker needs a fairly large pool of sites in order to be sure that users haven't seen them call the API before. Getting a domain you control on the PSL is the easiest way to do that. You can't get wildcard certificates for those domains after doing that (though maybe before... ) but running ACME is possible. It is also possible to determine that a randomized topic is thus if you receive a topic more than once. This takes multiple weeks as you have to wait for the topic to disappear. But just one repetition makes it extremely likely (>99%) that it is genuine. Footnotes
|
It seems to me that the current specs of the API may enable a simple and practical attack to identify the noisy topics, which could thus be filter out by the DSPs.
This attack relies on those two rules:
A direct consequence of those rules is that if a caller never observed any user before, then any topic it would receive is a random topic.
An attacker could thus call the API with two distinct endpoints:
Ensuring that an endpoint never observed the user may be non trivial, but a simple proxy would be to use as a caller the site the user in on. Any topic returned to this caller which is not the topic assigned to that site is thus a random topic.
What are your thoughts on this?
The text was updated successfully, but these errors were encountered: