BleepingComputer: Google Chrome's new "IP Protection" will hide users' IP addresses
https://www.bleepingcomputer.com/news/google/google-chromes-new-ip-protectio...
# Google Chrome's new "IP Protection" will hide users' IP addresses Google is getting ready to test a new "IP Protection" feature for the Chrome browser that enhances users' privacy by masking their IP addresses using proxy servers. Recognizing the potential misuse of IP addresses for covert tracking, Google seeks to strike a balance between ensuring users' privacy and the essential functionalities of the web. IP addresses allow websites and online services to track activities across websites, thereby facilitating the creation of persistent user profiles. This poses significant privacy concerns as, unlike third-party cookies, users currently lack a direct way to evade such covert tracking. # What is Google's proposed IP Protection feature? While IP addresses are potential vectors for tracking, they are also indispensable for critical web functionalities like routing traffic, fraud prevention, and other vital network tasks. The "IP Protection" solution addresses this dual role by routing third-party traffic from specific domains through proxies, making users' IP addresses invisible to those domains. As the ecosystem evolves, so will IP Protection, adapting to continue safeguarding users from cross-site tracking and adding additional domains to the proxied traffic. "Chrome is reintroducing a proposal to protect users against cross-site tracking via IP addresses. This proposal is a privacy proxy that anonymizes IP addresses for qualifying traffic as described above," reads a description of the IP Protection[1 - git repository] feature. Initially, IP Protection will be an opt-in feature[2], ensuring users have control over their privacy and letting Google monitor behavior trends. The feature's introduction will be in stages to accommodate regional considerations and ensure a learning curve. In its initial approach, only the domains listed will be affected in third-party contexts, zooming in on those perceived to be tracking users. The first phase, dubbed "Phase 0," will see Google proxying requests only to its own domains using a proprietary proxy. This will help Google test the system's infrastructure and buy more time to fine-tune the domain list. To start, only users logged into Google Chrome and with US-based IPs can access these proxies. A select group of clients will be automatically included in this preliminary test, but the architecture and design will undergo modifications as the tests progress. To avert potential misuse, a Google-operated authentication server will distribute access tokens to the proxy, setting a quota for each user. In upcoming phases, Google plans to adopt a 2-hop proxy system to increase privacy further. "We are considering using 2 hops for improved privacy. A second proxy would be run by an external CDN, while Google runs the first hop," explains the IP Protection explainer document. "This ensures that neither proxy can see both the client IP address and the destination. CONNECT & CONNECT-UDP support chaining of proxies." As many online services utilize GeoIP to determine a users location for offering services, Google plans on assigning IP addresses to proxy connections that represent a "coarse" location of a user rather than their specific location, as illustrated below. https://www.bleepstatic.com/images/news/web-browsers/chrome/ip-protection/ch... [The map is subdivided into areas delimited by the blue boundaries in the US and green boundaries in Canada. Users within a certain area will be assigned an IP address that is mapped to the top city of that area, marked with the pin \/. An area will never cross a country border.] Illustrating how Google plans on assigning IP address to allow for GeoIP locations Source: Google Among the domains where Google intends to test[3] this feature are its own platforms like Gmail and AdServices. Google plans on testing this feature between Chrome 119 and Chrome 225. # Potential security concerns Google explains there are some cybersecurity concerns related to the new IP Protection feature. As the traffic will be proxied through Google's servers, it may make it difficult for security and fraud protection services to block DDoS attacks or detect invalid traffic. Furthermore, if one of Google's proxy servers is compromised, the threat actor can see and manipulate the traffic going through it. To mitigate this, Google is considering requiring users of the feature to authenticate with the proxy, preventing proxies from linking web requests to particular accounts, and introducing rate-limiting to prevent DDoS attacks. 1 - git repository: http://github.com/GoogleChrome/ip-protection 2: https://groups.google.com/a/chromium.org/g/blink-dev/c/9s8ojrooa_Q [the path parameter is the groups conversation ID] 3: https://docs.google.com/document/d/1iCM3BxJ5cBVwepIL3L-ux-2eS-R0SgaCZEM_ja0a...
mikebutash - 13 hours ago Google is jealous of Microsoft Windows telemetry and Apple's spy^H^H^H"privacy" proxy in IOS things that sends everything a user does through them and wants in on the action. It's not good enough Chrome sends everything you do in a browser to Google, they want the rest of the app/os for training their AI too since users aren't quick on the uptake of Chromebooks to give them that. blackhatcat Photo blackhatcat - 12 hours ago this is also part of the reason theres such an enormous amount of vpn providers whom have popped up out of thin air over the past few years and flood the market with advertisements, most of which are playing the system and the lack of education of the end user placing their services between the end user and the services and systems accessed by the end user to try to garner first dibs on the data before the data reaches other services such as google, faceberg, etc
1 - git repository: http://github.com/GoogleChrome/ip-protection
# IP Protection (formerly known as Gnatcatcher) ## Introduction As browser vendors make efforts to provide their users with additional privacy, the user’s IP address continues to make it feasible to associate users’ activities across origins that otherwise wouldn’t be possible. This information can be combined over time to create a unique, persistent user profile and track a user’s activity across the web, which represents a threat to their privacy. Moreover, unlike with third-party cookies, there is no straightforward way for users to opt out of this kind of covert tracking. In addition to being used as a possible tracking vector, IP addresses have been and will continue to be instrumental in routing traffic, preventing fraud and abuse, and performing other important functions for network operators and domains. Therefore, any IP address privacy solution must account for both user privacy and the safety and functionality of the web. This proposal initially focuses on efforts where IP addresses are most likely to be used as a vector for tracking in a third-party context. IP Protection will evolve and broaden over time in conjunction with ecosystem changes to continue to protect users’ privacy from cross-site tracking. ## Cross-site tracking and the role of IP addresses There are various definitions for “tracking” used in the web ecosystem. We will initially use Mozilla’s definition for cross-site tracking as it has served as an inspiration for other browser policies. Mozilla defines [tracking](https://wiki.mozilla.org/Security/Anti_tracking_policy#Tracking_Definition) as “...the collection of data regarding a particular user's activity across multiple websites or applications (i.e., first parties) that aren’t owned by the data collector, and the retention, use, or sharing of data derived from that activity with parties other than the first party on which it was collected.” Browsers are moving against cross-site tracking. For Chrome, this [includes phasing out third-party cookies and limiting fingerprinting](https://privacysandbox.com/open-web/), while ensuring the web stays healthy and vibrant. One way to limit fingerprinting is by limiting sources of identifiable information such as IP addresses. An IP address is an effective cross-site identifier as it is highly unique, relatively stable, cheap to collect and the applications of IP addresses by websites are not detectable by the browser. Therefore limiting access to IP addresses is important to prevent other methods of cross-site tracking beyond third-party cookies. Based on how impactful IP addresses are for tracking, it would make sense to first focus on third parties identified as potentially using IP addresses for web-wide cross-site tracking. We’ll explore leveraging methods similar to other browsers and existing lists that identify these third parties. Chrome’s evolved focus on third-party tracking has emerged from feedback received on the Gnatcatcher proposal. Chrome wants to focus on behaviors that are most likely to be using IP for tracking users across sites in ways that might not align with user expectations of privacy. Chrome will work with the ecosystem to help preserve privacy while not breaking key uses on the web. ## Proposal Chrome is reintroducing a proposal to protect users against cross-site tracking via IP addresses. This proposal is a privacy proxy that anonymizes IP addresses for qualifying traffic as described above. **Goals** - To improve user privacy by protecting users’ IP addresses from being used as a tracking vector. - To minimize disruption to the normal operations of servers, including the use of IP addresses for anti-abuse by first party sites, until there are alternative mechanisms in place. ### Privacy Proxy #### Core requirements - the destination origin doesn’t see the client’s original IP address - the proxy and network intermediaries are not privy to the contents of the traffic. To meet these requirements, this proposal prioritizes proxying eligible third-party traffic through the Privacy Proxy. This will use CONNECT and CONNECT-UDP (with MASQUE), to forward traffic. There is an end-to-end encrypted tunnel via TLS, from Chrome to the destination server. We are considering using 2 hops for improved privacy. A second proxy would be run by an external CDN, while Google runs the first hop. This ensures that neither proxy can see both the client IP address and the destination. CONNECT & CONNECT-UDP support chaining of proxies. #### Anti-abuse There are several anti-abuse concerns for proxied third party traffic: - defensibility of the proxy, a compromised proxy may be used to deploy attacks - disruption of existing DoS defenses - disruption of existing defenses for fraud and invalid traffic detection To limit abuse of the proxy, we are considering the following non-exhaustive set of anti-abuse protections: - user authenticates to the proxy - this will require a user account - auth tokens will be issued and redeemed at the proxy - proxy shouldn’t be able to correlate traffic to user account - blinded signatures will be used - limit abuse with harvesting of auth tokens - rate limit tokens per account - token expiry In addition to preventative measures, we are also looking for opportunities to allow websites to report DoS and other abuse. Additionally, we are actively exploring new anti-abuse defenses to enable third party services to prevent abuse and fraud. #### GeoIP IP-based geolocation is used by a swath of services within proxied third party traffic to comply with local laws & regulation and serve content that is relevant to users, such as: content localization (e.g. language), local cache assignment, and geo targeting for ads. To support these needs, the Privacy Proxy will assign IP addresses that represent the user’s coarse location, including country. ### Longer term Long term solutions will evolve and will be shaped in conjunction with the ecosystem. We will collaborate with ISPs, CDNs, third parties, and destination sites towards the end-state of privacy proxies for the web. For instance, ISPs and CDNs are well suited to operate privacy proxies. As IP Protection evolves, we believe policy will have a part in the overall solution to address circumvention by websites. When needed, we'll develop the policy and seek input from the ecosystem. Our intent for a policy within the proposal will be to encourage web services to be accountable for the usage and sharing of client IP addresses given the sensitivity of IP as an identifying data point. By creating transparency around the use of IP addresses, we hope to promote industry accountability regarding how IP addresses are accessed and used in the web ecosystem. We welcome feedback on this proposal, especially with regard to some of the open questions we are considering.
participants (2)
-
jdb10987@yahoo.com -
Undescribed Horrific Abuse, One Victim & Survivor of Many