On Wed, May 8, 2024 at 1:26 PM Neil Madden <neil.e.mad...@gmail.com> wrote:
> Looking at these slides again, and at the spec, does this even work to > defeat tracking? The browser makes two requests to the IdP prior to getting > consent from the user: > > 1. To lookup the accounts of the user (identifying the user) > 2. To lookup the metadata of the client (identifying the RP). > > Isn’t it rather trivial for a tracker posing as an IDP to correlate these > two requests? The privacy considerations talk about IP addresses and timing > ways to correlate > The timing attack <https://fedidcg.github.io/FedCM/#timing-attacks> is the one that we think we are most vulnerable to at this layer, but we know how to (a) detect it and (b) address it (e.g. by introducing UX friction). IP addresses are also a problem, but we think it will be best addressed at a different layer: For example, in Chrome: https://developers.google.com/privacy-sandbox/protections/ip-protection and Safari: https://support.apple.com/en-gb/guide/iphone/iph499d287c2/17.0/ios/17.0 > , but there are plenty of others. > Outside of the timing attack and IP masking, can you expand on what else an attacker could use to track the users? Browsers are working towards removing every bit of entropy that can be used for fingerprinting, so I'm curious if anything occurred to you that isn't being actively worked on. For example: https://github.com/WICG/ua-client-hints#explainer-reducing-user-agent-granularity > — Neil > > On 8 May 2024, at 13:34, Rifaat Shekh-Yusef <rifaat.s.i...@gmail.com> > wrote: > > > Attached is the slide deck presented during this meeting. > > The following is a link to the meeting video recording: > https://www.youtube.com/watch?v=cngVbSkEYL8 > > Regards, > Rifaat > > > On Thu, Apr 25, 2024 at 1:01 PM Rifaat Shekh-Yusef < > rifaat.s.i...@gmail.com> wrote: > >> OAuth WG Virtual Interim - FedCM >> The Web Authorization Protocol (oauth) WG will hold a virtual interim >> meetingon 2024-05-07 from 12:00 to 13:00 America/Toronto (16:00 to 17:00 >> UTC).Agenda:FedCM update and discussionhttps://fedidcg.gi >> >> The Web Authorization Protocol (oauth) WG will hold a virtual interim >> meeting >> on 2024-05-07 from 12:00 to 13:00 America/Toronto (16:00 to 17:00 UTC). >> >> Agenda: >> FedCM update and discussion >> https://fedidcg.github.io/FedCM/ >> <https://www.google.com/url?q=https%3A%2F%2Ffedidcg.github.io%2FFedCM%2F&sa=D&ust=1714496460000000&usg=AOvVaw0JV0JXkKL9I3BCHl-m7rv5> >> >> Information about remote participation: >> https://meetings.conf.meetecho.com/interim/?group=06583774- >> aede-401e-aa29-4ed8f23365b8 >> <https://www.google.com/url?q=https%3A%2F%2Fmeetings.conf.meetecho.com%2Finterim%2F%3Fgroup%3D06583774-aede-401e-aa29-4ed8f23365b8&sa=D&ust=1714496460000000&usg=AOvVaw0l_s_s7ul4uxexFYwDmugJ> >> >> >> >> -- >> A calendar subscription for all oauth meetings is available at >> https://datatracker.ietf.org/meeting/upcoming.ics?show=oauth >> <https://www.google.com/url?q=https%3A%2F%2Fdatatracker.ietf.org%2Fmeeting%2Fupcoming.ics%3Fshow%3Doauth&sa=D&ust=1714496460000000&usg=AOvVaw0ywqP3q7cECegR2l_cMof6> >> WhenTuesday May 7, 2024 ⋅ 12pm – 1pm (Eastern Time - Toronto) >> Guests >> Rifaat Shekh-Yusef <rifaat.s.i...@gmail.com> - organizer >> oauth@ietf.org >> View all guest info >> <https://calendar.google.com/calendar/event?action=VIEW&eid=MGt2cG90cDhxajBqY3Ftbm1rY3JhNXA4dTUgb2F1dGhAaWV0Zi5vcmc&tok=MjMjcmlmYWF0LnMuaWV0ZkBnbWFpbC5jb21hOTUzOWVkYjNiMDNkNjk0ZGRmOTYyZTkyZDk4NzNiMGI5YWY1MTcz&ctz=America%2FToronto&hl=en&es=0> >> Reply for oauth@ietf.org >> Yes >> <https://calendar.google.com/calendar/event?action=RESPOND&eid=MGt2cG90cDhxajBqY3Ftbm1rY3JhNXA4dTUgb2F1dGhAaWV0Zi5vcmc&rst=1&tok=MjMjcmlmYWF0LnMuaWV0ZkBnbWFpbC5jb21hOTUzOWVkYjNiMDNkNjk0ZGRmOTYyZTkyZDk4NzNiMGI5YWY1MTcz&ctz=America%2FToronto&hl=en&es=0> >> No >> <https://calendar.google.com/calendar/event?action=RESPOND&eid=MGt2cG90cDhxajBqY3Ftbm1rY3JhNXA4dTUgb2F1dGhAaWV0Zi5vcmc&rst=2&tok=MjMjcmlmYWF0LnMuaWV0ZkBnbWFpbC5jb21hOTUzOWVkYjNiMDNkNjk0ZGRmOTYyZTkyZDk4NzNiMGI5YWY1MTcz&ctz=America%2FToronto&hl=en&es=0> >> Maybe >> <https://calendar.google.com/calendar/event?action=RESPOND&eid=MGt2cG90cDhxajBqY3Ftbm1rY3JhNXA4dTUgb2F1dGhAaWV0Zi5vcmc&rst=3&tok=MjMjcmlmYWF0LnMuaWV0ZkBnbWFpbC5jb21hOTUzOWVkYjNiMDNkNjk0ZGRmOTYyZTkyZDk4NzNiMGI5YWY1MTcz&ctz=America%2FToronto&hl=en&es=0> >> More options >> <https://calendar.google.com/calendar/event?action=VIEW&eid=MGt2cG90cDhxajBqY3Ftbm1rY3JhNXA4dTUgb2F1dGhAaWV0Zi5vcmc&tok=MjMjcmlmYWF0LnMuaWV0ZkBnbWFpbC5jb21hOTUzOWVkYjNiMDNkNjk0ZGRmOTYyZTkyZDk4NzNiMGI5YWY1MTcz&ctz=America%2FToronto&hl=en&es=0> >> >> Invitation from Google Calendar <https://calendar.google.com/calendar/> >> >> You are receiving this email because you are an attendee on the event. To >> stop receiving future updates for this event, decline this event. >> >> Forwarding this invitation could allow any recipient to send a response >> to the organizer, be added to the guest list, invite others regardless of >> their own invitation status, or modify your RSVP. Learn more >> <https://support.google.com/calendar/answer/37135#forwarding> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > <IETF-OAuthInterim24-FedCM.pdf> > _______________________________________________ > OAuth mailing list -- oauth@ietf.org > To unsubscribe send an email to oauth-le...@ietf.org > > _______________________________________________ > OAuth mailing list -- oauth@ietf.org > To unsubscribe send an email to oauth-le...@ietf.org >
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
