Privacy concerns raised about upcoming Client-Hints web standard

Brave devs warn about new alternative user fingerprinting method being rolled out with Chromium-based browsers.

privacy.jpg

Developers of the privacy-focused Brave browser have raised concerns last week about possible user privacy issues in Client-Hints, a new internet standard currently pending approval by the Internet Engineering Task Force (IETF).

The Brave team suggests third-party web servers could abuse Client-Hints to secretly fingerprint and track users across the internet, a side-effect of the protocol's design.

Created for responsive images

Put forward by Google engineer Ilya Grigorik back in 2015, Client-Hints was developed as a tool for content negotiation and automatic resources selection.

Client-Hints was created to help developers implement "responsive images" -- images that adapt in size based on the user's device width, always showing photos in an appropriate resolution and size.

The initial version of Client-Hints was supposed to provide a way for browsers to share information like screen width, viewport width, and device pixel ratio (DPR) with servers, even before a website was going to get loaded and without running JavaScript inside the user's browser first.

The idea was to have a mechanism at the HTTP header level that would share this information so servers could provide images at the optimum size to a browser, with minimal delay and content negotiation.

How Client-Hints works

Under the Client-Hints standard, the whole process starts with servers sending an HTTP header to a browser, in the initial moments of when a user is first accessing a site, and before the actual web page is sent to the user's device.

The server asks for "client hints," and the browser replies with an HTTP header containing the currently supported browser details (client hints). The browser can't refuse a Client-Hint request, and will automatically answer any request it receives from a domain it is trying to access.

Furthermore, website owners can also tell browsers to share Client-Hints with all the third-party domains used by their website, allowing third-party services to receive in-depth details about another site's visitors.

Privacy concerns -- alternative tracking method

"Adding Client-Hints into the browser platform would expose an additional tracking method to block and potentially make it even more difficult to maintain a usable, private Web," the Brave team said last week in a blog post criticizing the new protocol.

What the Brave team is saying is that in situations where users employ anti-fingerprinting extensions or browser settings that block intrusive JavaScript tracking scripts, Client-Hints provides an alternative method for tracking users, which websites can employ as an alternative.

The fact that Client-Hints is new also means that most of these privacy-focused browser settings and extensions also don't support blocking Client-Hints.

Speaking with ZDNet today, Giorgio Maone, creator of the NoScript extension, said that Chrome and Firefox extensions can theoretically block Client-Hints, in its current form.

However, planned changes to the Chrome extensions mechanism would prevent ad-blockers and similar extensions from blocking Client-Hints in the future, leaving the door open for a secretive user tracking/fingerprinting channel.

"Currently yes, definitely," Maone told ZDNet. "But under the webRequest changes proposal by the Chromium development team (with its partial replacement with the declarativeNetRequest API) most likely not. So, NoScript could do it now and keep doing it in Firefox, but maybe not in Chrome/Chromium."

Privacy concerns -- third-party access

In addition, the Brave team is also raising a sign of alarm about websites being allowed to instruct browsers to share Client-Hints information with third-parties, and with no way for users to prevent it.

This is worrisome because third-party domains that just load an image -- and have no ability to run JavaScript on a site -- could be receiving the information to fingerprint users based on Client-Hints alone.

But besides third-party domains used to load legitimate images on a site, there is another danger from third-party servers.

"Client-Hints would make it easier for an additional set of Web parties, 'TLS-terminators' (i.e. servers between the client and the website) to track users," the Brave team said.

"TLS-terminating parties like CDNs and proxies would have new passive and consistent access to identifying information. [...] In other words, Client-Hints would make it easy for CDNs and proxies to access identifying information, in cases where it is currently difficult-to-impossible to do [without injecting malicious scripts inside normal traffic]."

All of this shows how a feature initially meant to improve web performance can have unexpected consequences on user privacy.

Privacy concerns -- support for more user details

Furthermore, since 2015 the Client-Hints standard has evolved significantly. Besides screen width, viewport width, and device pixel ratio (DPR), Client-Hints can also provide information about browser memory, and there are also plans to move the user-agent details into Client-Hints HTTP headers, exposing even more information via this new user tracking/fingerprinting channel.

"At the moment though, most of the suggested values shared in Client-Hints are privacy harming, and so we are negative on the proposal in general," Brave developers said in regards to their intention to support the feature.

And on top of the Brave team, Mozilla has also raised concerns about the upcoming standard's impact on user privacy, along with KeyCDN.

For now, only Chromium-based browsers support Client-Hints, according to the Can I Use portal, but Edge will also support it once it moves to a Chromium-based codebase

Client-Hints support

The good news is that Client-Hints it is not an official IETF recommendation set in stone for the moment, and changes are still being made to its text.

"We support the overall goal of the Client-Hints proposal, to improve Web performance," Brave developers said. "While we don't think the potential performance improvements in the proposal are worth the risk to Web privacy, we applaud and appreciate that the Client-Hints authors are working towards an important and valuable goal."

More browser coverage: