GoogleChrome/ip-protection GoogleChrome/ip-protection

  • Stars
    star
    147
  • Rank 242,271 (Top 5 %)
  • Language
  • License
    Apache License 2.0
  • Created about 1 year ago
  • Updated 22 days ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
GoogleChrome/ip-protection
github

GoogleChrome

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

IP Protection (formerly known as Gnatcatcher)

Introduction

As browser vendors make efforts to provide their users with additional privacy, the user’s IP address continues to make it feasible to associate users’ activities across origins that otherwise wouldn’t be possible. This information can be combined over time to create a unique, persistent user profile and track a user’s activity across the web, which represents a threat to their privacy. Moreover, unlike with third-party cookies, there is no straightforward way for users to opt out of this kind of covert tracking.

In addition to being used as a possible tracking vector, IP addresses have been and will continue to be instrumental in routing traffic, preventing fraud and abuse, and performing other important functions for network operators and domains.

Therefore, any IP address privacy solution must account for both user privacy and the safety and functionality of the web. This proposal initially focuses on efforts where IP addresses are most likely to be used as a vector for tracking in a third-party context.

IP Protection will evolve and broaden over time in conjunction with ecosystem changes to continue to protect users’ privacy from cross-site tracking.

Cross-site tracking and the role of IP addresses

There are various definitions for “tracking” used in the web ecosystem. We will initially use Mozilla’s definition for cross-site tracking as it has served as an inspiration for other browser policies.

Mozilla defines tracking as “...the collection of data regarding a particular user's activity across multiple websites or applications (i.e., first parties) that aren’t owned by the data collector, and the retention, use, or sharing of data derived from that activity with parties other than the first party on which it was collected.”

Browsers are moving against cross-site tracking. For Chrome, this includes phasing out third-party cookies and limiting fingerprinting, while ensuring the web stays healthy and vibrant. One way to limit fingerprinting is by limiting sources of identifiable information such as IP addresses.

An IP address is an effective cross-site identifier as it is highly unique, relatively stable, cheap to collect and the applications of IP addresses by websites are not detectable by the browser. Therefore limiting access to IP addresses is important to prevent other methods of cross-site tracking beyond third-party cookies.

Based on how impactful IP addresses are for tracking, it would make sense to first focus on third parties identified as potentially using IP addresses for web-wide cross-site tracking. We’ll explore leveraging methods similar to other browsers and existing lists that identify these third parties.

Chrome’s evolved focus on third-party tracking has emerged from feedback received on the Gnatcatcher proposal. Chrome wants to focus on behaviors that are most likely to be using IP for tracking users across sites in ways that might not align with user expectations of privacy. Chrome will work with the ecosystem to help preserve privacy while not breaking key uses on the web.

Proposal

Chrome is reintroducing a proposal to protect users against cross-site tracking via IP addresses. This proposal is a privacy proxy that anonymizes IP addresses for qualifying traffic as described above.

Goals

  • To improve user privacy by protecting users’ IP addresses from being used as a tracking vector.
  • To minimize disruption to the normal operations of servers, including the use of IP addresses for anti-abuse by first party sites, until there are alternative mechanisms in place.

Privacy Proxy

Core requirements

  • the destination origin doesn’t see the client’s original IP address
  • the proxy and network intermediaries are not privy to the contents of the traffic.

To meet these requirements, this proposal prioritizes proxying eligible third-party traffic through the Privacy Proxy.

This will use CONNECT and CONNECT-UDP (with MASQUE), to forward traffic. There is an end-to-end encrypted tunnel via TLS, from Chrome to the destination server.

We are considering using 2 hops for improved privacy. A second proxy would be run by an external CDN, while Google runs the first hop. This ensures that neither proxy can see both the client IP address and the destination. CONNECT & CONNECT-UDP support chaining of proxies.

Anti-abuse

There are several anti-abuse concerns for proxied third party traffic:

  • defensibility of the proxy, a compromised proxy may be used to deploy attacks
  • disruption of existing DoS defenses
  • disruption of existing defenses for fraud and invalid traffic detection

To limit abuse of the proxy, we are considering the following non-exhaustive set of anti-abuse protections:

  • user authenticates to the proxy
    • this will require a user account
    • auth tokens will be issued and redeemed at the proxy
  • proxy shouldn’t be able to correlate traffic to user account
    • blinded signatures will be used
  • limit abuse with harvesting of auth tokens
    • rate limit tokens per account
    • token expiry

In addition to preventative measures, we are also looking for opportunities to allow websites to report DoS and other abuse. Additionally, we are actively exploring new anti-abuse defenses to enable third party services to prevent abuse and fraud.

GeoIP

IP-based geolocation is used by a swath of services within proxied third party traffic to comply with local laws & regulation and serve content that is relevant to users, such as: content localization (e.g. language), local cache assignment, and geo targeting for ads. To support these needs, the Privacy Proxy will assign IP addresses that represent the user’s coarse location, including country.

Longer term

Long term solutions will evolve and will be shaped in conjunction with the ecosystem. We will collaborate with ISPs, CDNs, third parties, and destination sites towards the end-state of privacy proxies for the web. For instance, ISPs and CDNs are well suited to operate privacy proxies.

As IP Protection evolves, we believe policy will have a part in the overall solution to address circumvention by websites. When needed, we'll develop the policy and seek input from the ecosystem. Our intent for a policy within the proposal will be to encourage web services to be accountable for the usage and sharing of client IP addresses given the sensitivity of IP as an identifying data point. By creating transparency around the use of IP addresses, we hope to promote industry accountability regarding how IP addresses are accessed and used in the web ecosystem.

We welcome feedback on this proposal, especially with regard to some of the open questions we are considering.

More Repositories

1

lighthouse

Automated auditing, performance metrics, and best practices for the web.
JavaScript
27,804
star
2

chrome-extensions-samples

Chrome Extensions Samples
JavaScript
13,907
star
3

workbox

📦 Workbox: JavaScript libraries for Progressive Web Apps
JavaScript
12,091
star
4

web-vitals

Essential metrics for a healthy site.
JavaScript
7,111
star
5

lighthouse-ci

Automate running Lighthouse for every commit, viewing the changes, and preventing regressions
JavaScript
6,210
star
6

rendertron

A Headless Chrome rendering solution
TypeScript
5,926
star
7

samples

A repo containing samples tied to new functionality in each release of Google Chrome.
HTML
5,709
star
8

web.dev

The frontend, backend, and content source code for web.dev
Nunjucks
3,544
star
9

dialog-polyfill

Polyfill for the HTML dialog element
JavaScript
2,425
star
10

web-vitals-extension

A Chrome extension to measure essential metrics for a healthy site
CSS
2,318
star
11

accessibility-developer-tools

This is a library of accessibility-related testing and utility code.
JavaScript
2,274
star
12

developer.chrome.com

The frontend, backend, and content source code for developer.chrome.com
HTML
1,660
star
13

custom-tabs-client

Chrome custom tabs examples
Java
1,399
star
14

chrome-launcher

Launch Google Chrome with ease from node.
TypeScript
1,166
star
15

proxy-polyfill

Proxy object polyfill
JavaScript
1,127
star
16

omnitone

Spatial Audio Rendering on the web.
JavaScript
840
star
17

devtools-docs

The legacy documentation for Chrome DevTools.
HTML
686
star
18

android-browser-helper

The Android Browser Helper library helps developers use Custom Tabs and Trusted Web Activities on top of the AndroidX browser support library.
Java
655
star
19

chromium-dashboard

Chrome Status Dashboard
Python
624
star
20

OriginTrials

Enabling safe experimentation with web APIs
Bikeshed
520
star
21

audion

Audion is a Chrome extension that adds a Web Audio panel to Developer Tools. This panel visualizes the web audio graph in real-time.
TypeScript
357
star
22

related-website-sets

Python
282
star
23

chrome-app-codelab

The goal of this tutorial is to get you building Chrome apps fast. Once you've completed the tutorial, you will have a simple Todo app. We've done our best to capture some of the trickier parts to the development process keeping the sample simple and straightforward.
JavaScript
214
star
24

lighthouse-stack-packs

Lighthouse Stack Packs
JavaScript
207
star
25

CrUX

The place to share queries, ideas, or issues related to the Chrome UX Report
Jupyter Notebook
201
star
26

inert-polyfill

Polyfill for the HTML inert attribute
JavaScript
188
star
27

chrome-types

Code to parse Chrome's internal extension type definitions—published on NPM as chrome-types
JavaScript
157
star
28

devtools-samples

Samples for demonstrating DevTools features.
HTML
149
star
29

CertificateTransparency

HTML
139
star
30

browser-bug-search

Search across all major browser vendor issue trackers
JavaScript
113
star
31

multi-device

Chrome multi-device (mobile) docs
HTML
102
star
32

kino

A sample offline streaming video PWA built for web.dev/media
JavaScript
92
star
33

jank-busters

Resources for jank busting on the web.
JavaScript
64
star
34

webstore-docs

Developer docs for Chrome Web Store:
HTML
64
star
35

budget.json

37
star
36

private-tokens

37
star
37

webdev-infra

JavaScript
36
star
38

.github

10
star
39

.allstar

7
star
40

CertificateTransparency-todelete

HTML
7
star
41

lighthouse-plugin-example

JavaScript
1
star