Impact on network traffic monitoring solutions #101
Comments
|
Network traffic monitoring solutions will continue to have access to the same info. Enterprise/Edu admins will also have access to group policies that control all speculative features (at least this is the plan for Chrome; I haven’t checked the current stance in other browsers). |
|
Let me close this issue for now. Please reopen if there are any follow-ups needed. |
|
Understood that networks with traffic monitoring will keep the same access for the purpose of enforcing network content policies. My question was about how a prerendered page - one the user hasn't actually visited - could be used by a hostile actor (who is monitoring network traffic) to incriminate the user. Particular examples could be: a work place looking to discredit an employee who is attempting to unionize workers; or a corrupt government authority set out to "find" evidence that would get the devices of an investigative journalist seized by law enforcement (where said law enforcement may not be well versed in what a prefetch header is). I recognise there are existing ways to plant evidence of unwholesome web browsing activity - but that doesn't mean its okay to introduce functionality to the web platform that lowers the bar to doing so. I'm just hoping to flag less mainstream threat models that may affect particularly vulnerable people, to make sure they get adequate attention. |
|
Is the concern that the attacker (1) controls the referring website and (2) uses it to trigger prerenders to a "unwholesome" site for a user, and then (3) monitors the network for the requests to the "unwholesome" site? Could they achieve the same thing just using normal fetches from the referring site? |
|
The concern is about the threat of (3), the attacker doesn't need control per (1). |
|
Sorry, I may not have been clear. I am just wondering if prerendering adds capabilities in this scenario. Some entity is triggering the prerender of the "unwholesome" site to plant evidence, and the way they would trigger that prerender is by controlling a referring page. I am trying to understand if they could just trigger a normal fetch from the referring page for the unwholesome site, which would look the same from the point of view of the network monitor. |
|
The prerender may have been triggered by a naive implementation by the referring site, or as a result of opaque UA heuristics for deciding what to prerender, not necessarily by a malicious referrer. As I said in my earlier comment:
In general I'd be interested to know more about how network monitoring systems differentiate between a normal request triggered explicitly by the user in the UA, a prerendered that the UA has decided to do on behalf of a user, and a fetch request made by a site without the users knowledge. But the feature being introduced here is the prerendering speculation rules, so that is specifically what I'd like to make sure is considered with regards to this potential threat. |
|
For the purpose of w3c tag review That said, we could discuss these scenarios to inform future cross-origin plans. |
|
I think the threat may exist for same origin, but if you think it makes sense to file a separate issue that's fine, thanks @KenjiBaheux. |
|
Let's discuss over issue #155. For the same origin case, I don't see how this would work because the network monitoring services would typically not see the URL, just the hostname which it already saw when the user landed on the website that triggered the prerendering. Feel free to open a new issue with a specific same-origin scenario if I'm missing something. |
What about other kinds of network traffic monitoring? (Imagine, for example, that a site links to illegal content, and the browser prerenders that - would it appear that the user has visited a page with illegal content if their network was being monitored?)from issue #90 by @rhiaroThe text was updated successfully, but these errors were encountered: