D.Rybin_How_Privacy_Sandbox_broke_the_web_but_promised_to_fix_it__1_.pdf

Transcript

1. Нow Privacy Sandbox broke the web, but promised to fix

   it Denis Rybin, Head of AppSec Mail.ru Position, organization Moscow, 2022

2. 2 Disclaimer #1 We are talking about Chrome by default

3. 3 What does the average pentester know about browsers? Junior:

   • Basic XSS • CSRF • Cookie HTTPOnly/Secure • SOP (really good Junior)

4. 4 What does the average pentester know about browsers? Junior:

   • Basic XSS • CSRF • Cookie HTTPOnly/Secure • SOP (really good Junior) What does the average pentester know about browsers? Junior: • Basic XSS • CSRF • Cookie HTTPOnly/Secure • SOP (really good Junior) Middle: • Tricky XSS • CORS/preflight • CSP • More APIs o PostMessange o LocalStorage o WebCache o etc

5. 5 What does the average pentester know about browsers? Junior:

   • Basic XSS • CSRF • Cookie HTTPOnly/Secure • SOP (really good Junior) What does the average pentester know about browsers? Junior: • Basic XSS • CSRF • Cookie HTTPOnly/Secure • SOP (really good Junior) Middle: • Tricky XSS • CORS/preflight • CSP • More APIs o PostMessange o LocalStorage o WebCache o etc Senior: • Tricky CSP • Cookie __Host- • Site != origin • Latest exotic stuff o CORB o COOP o CORP o COEP o etc

6. 6 What does the average pentester know about browsers? Junior:

   • Basic XSS • CSRF • Cookie HTTPOnly/Secure • SOP (really good Junior) What does the average pentester know about browsers? Junior: • Basic XSS • CSRF • Cookie HTTPOnly/Secure • SOP (really good Junior) Middle: • Tricky XSS • CORS/preflight • CSP • More APIs o PostMessange o LocalStorage o WebCache o etc Senior: • Tricky CSP • Cookie __Host- • Site != origin • Latest exotic stuff o CORB o COOP o CORP o COEP o etc Secret level (Principal): • Proposals • Origin Trials • Thinks about problems, not technology • Knows how new ideas change the whole context

7. 7 Disclaimer #2 I'll look like this for the next

   30 minutes

8. 8 Privacy Sandbox

9. 9 High turbulence

10. 10 Privacy Sandbox on Android (Easy part)

11. 11 Privacy Sandbox for the Web

12. 12 Lifecycle Overview

13. 13 Proposal

14. 14 Feature flag

15. 15 Origin Trials

16. 16 Origin Trials

17. 17 General Availability

18. 18 Privacy Sandbox for the Web. Timeline

19. 19 Privacy Sandbox for the Web. Timeline

20. 20 What is 3rd party? Third-Party Cookies are cookies that

    are stored under a different domain than you are currently visiting.

21. 21 There are many scenarios for the legal use of

    3rd party cookies • Social widgets • Some OIDC cases • Personalized login buttons • Embedded support chat and other integrations • Sharing data and actions cross domains • Country-specific domains to enable localization (google.co.in, google.co.uk) • Brand domains (uber.com, ubereats.com) • Etc

22. 22 Privacy Sandbox on Web 1. Strengthen cross-site privacy boundaries

    2. Limit covert tracking 3. Measure digital ads 4. Show relevant content and ads 5. Fight spam and fraud

23. 23 Privacy Sandbox on Web 1. Strengthen cross-site privacy boundaries

    2. Limit covert tracking 3. Measure digital ads 4. Show relevant content and ads 5. Fight spam and fraud

24. 24 Privacy Sandbox on Web Strengthen cross-site privacy boundaries: •

    CHIPS • First Party Set • FedCM • Shared Storage API • Storage Partitioning • Fenced Frames API • Network State Partitioning

25. 25 Privacy Sandbox on Web Strengthen cross-site privacy boundaries: •

    CHIPS • First Party Set • FedCM • Shared Storage API • Storage Partitioning • Fenced Frames API • Network State Partitioning

26. 26 First Party Set

27. 27 Example use cases for FPS • App domains -

    a single application may be deployed over multiple domains, where the user may seamlessly navigate between them as a single session. • office.com, live.com, microsoft.com • lucidchart.com, lucid.co, lucidspark.com, lucid.app • Brand domains • uber.com, ubereats.com • Country-specific domains to enable localization • google.co.in, google.co.uk

28. 28 First Party Set Subsets

29. 29 First Party Set Subsets

30. 30 Cookies Having Independent Partitioned State (CHIPS)

31. 31 Cookies Having Independent Partitioned State (CHIPS)

32. 32 CHIPS + FPS

33. 33 Example use cases for CHIPS • Third-party chat embeds

    • Third-party map embeds • Subresource CDN load balancing • Headless CMS providers • Sandbox domains for serving untrusted user content (such as googleusercontent.com and githubusercontent.com) • Third-party CDNs that use cookies to serve content that's access-controlled by the authentication status on the first-party site (for example, profile pictures on social media sites hosted on third-party CDNs) • Front-end frameworks that rely on remote APIs using cookies on their requests • Embedded ads that need state scoped per publisher (for example, capturing users' ads preferences for that website)

34. 34 FedCM goals • Enable all federated identity flows (including

    what will break) without the use of third-party cookies in a way that makes the web meaningfully more private and usable compared to the next best alternative • Maximize backwards compatibility, especially for RPs • Allow identity protocols to be extended independent of browser changes • Reuse as much from OIDC / SAML / OAuth as possible

35. 35 Federated Credential Management (FedCM)

36. 36 Federated Credential Management (FedCM)

37. 37 Federated Credential Management (FedCM)

38. 38 Typical privacy sandbox surfing

39. 39 Typical privacy sandbox surfing

40. 40 Typical privacy sandbox surfing

41. 41 Typical privacy sandbox surfing

42. 42 Typical privacy sandbox surfing

43. 43 Typical privacy sandbox surfing

44. 44 Thanks for your attention