Developers of the privacy-focused Brave browser have raised concerns last week about possible user privacy issues in Client-Hints, a new internet standard currently pending approval by the Internet Engineering Task Force (IETF).
The Brave team suggests third-party web servers could abuse Client-Hints to secretly fingerprint and track users across the internet, a side-effect of the protocol's design.
Created for responsive images
Client-Hints was created to help developers implement "responsive images" -- images that adapt in size based on the user's device width, always showing photos in an appropriate resolution and size.
The idea was to have a mechanism at the HTTP header level that would share this information so servers could provide images at the optimum size to a browser, with minimal delay and content negotiation.
How Client-Hints works
Under the Client-Hints standard, the whole process starts with servers sending an HTTP header to a browser, in the initial moments of when a user is first accessing a site, and before the actual web page is sent to the user's device.
The server asks for "client hints," and the browser replies with an HTTP header containing the currently supported browser details (client hints). The browser can't refuse a Client-Hint request, and will automatically answer any request it receives from a domain it is trying to access.
Furthermore, website owners can also tell browsers to share Client-Hints with all the third-party domains used by their website, allowing third-party services to receive in-depth details about another site's visitors.
Privacy concerns -- alternative tracking method
"Adding Client-Hints into the browser platform would expose an additional tracking method to block and potentially make it even more difficult to maintain a usable, private Web," the Brave team said last week in a blog post criticizing the new protocol.
The fact that Client-Hints is new also means that most of these privacy-focused browser settings and extensions also don't support blocking Client-Hints.
Speaking with ZDNet today, Giorgio Maone, creator of the NoScript extension, said that Chrome and Firefox extensions can theoretically block Client-Hints, in its current form.
However, planned changes to the Chrome extensions mechanism would prevent ad-blockers and similar extensions from blocking Client-Hints in the future, leaving the door open for a secretive user tracking/fingerprinting channel.
"Currently yes, definitely," Maone told ZDNet. "But under the webRequest changes proposal by the Chromium development team (with its partial replacement with the declarativeNetRequest API) most likely not. So, NoScript could do it now and keep doing it in Firefox, but maybe not in Chrome/Chromium."
Privacy concerns -- third-party access
In addition, the Brave team is also raising a sign of alarm about websites being allowed to instruct browsers to share Client-Hints information with third-parties, and with no way for users to prevent it.
But besides third-party domains used to load legitimate images on a site, there is another danger from third-party servers.
"Client-Hints would make it easier for an additional set of Web parties, 'TLS-terminators' (i.e. servers between the client and the website) to track users," the Brave team said.
"TLS-terminating parties like CDNs and proxies would have new passive and consistent access to identifying information. [...] In other words, Client-Hints would make it easy for CDNs and proxies to access identifying information, in cases where it is currently difficult-to-impossible to do [without injecting malicious scripts inside normal traffic]."
All of this shows how a feature initially meant to improve web performance can have unexpected consequences on user privacy.
Privacy concerns -- support for more user details
Furthermore, since 2015 the Client-Hints standard has evolved significantly. Besides screen width, viewport width, and device pixel ratio (DPR), Client-Hints can also provide information about browser memory, and there are also plans to move the user-agent details into Client-Hints HTTP headers, exposing even more information via this new user tracking/fingerprinting channel.
"At the moment though, most of the suggested values shared in Client-Hints are privacy harming, and so we are negative on the proposal in general," Brave developers said in regards to their intention to support the feature.
For now, only Chromium-based browsers support Client-Hints, according to the Can I Use portal, but Edge will also support it once it moves to a Chromium-based codebase
The good news is that Client-Hints it is not an official IETF recommendation set in stone for the moment, and changes are still being made to its text.
"We support the overall goal of the Client-Hints proposal, to improve Web performance," Brave developers said. "While we don't think the potential performance improvements in the proposal are worth the risk to Web privacy, we applaud and appreciate that the Client-Hints authors are working towards an important and valuable goal."
More browser coverage:
- Google Chrome to support same-site cookies, get anti-fingerprinting protection
- Mozilla releases Firefox 66.0.4 with fix disabled add-ons issue
- Google's Web Packaging standard arises as a new tool for privacy enthusiasts
- Google launches Portals, a new web page navigation system for Chrome
- Mozilla announces ban on Firefox extensions containing obfuscated code
- Mozilla offers research grant for a way to embed Tor inside Firefox
- How Mozilla uses AI to manage Firefox bug reports TechRepublic
- Brave's privacy-first browser ads arrive with promised payout for you CNET