Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Requirements for Unlinkable Tokens for Fraud Prevention #82

Open
eriktaubeneck opened this issue May 13, 2021 · 3 comments
Open

Requirements for Unlinkable Tokens for Fraud Prevention #82

eriktaubeneck opened this issue May 13, 2021 · 3 comments

Comments

@eriktaubeneck
Copy link

This is a break off from #41, specifically focused on the the requirements for using unlinkable tokens to prevent the submission of unauthorized (fraudulent) click reports. Summarizing the requirements from that thread:

  1. Websites have the ability to participate in a protocol which can provide proof that they can trust the reports they later receive.
  2. The reports sent from the browser (including any proof provided by /1) should be unlinkable to individual events.
  3. Websites should only sign tokens when it's linked to a validated session/click.
  4. The design should be as simple as possible:
    a. Simple for website developers to adopt and use
    b. Relatively easy for privacy experts to analyze
    c. To some extent, easy for browser engineers to implement.
    d. Avoid a solution that only works for websites with a large engineering team.

Other remaining open questions:

  1. Does the unlinkable token need to be bound to the trigger_site as well as the source_site?
  2. How often do keys need to be rotated?What is expected to happen if a client detects a key mismatch upon event upload?
  3. What happens if the client's chosen nonce is not random? Does the solution depend on this being random, and if so, what assurance does the server have that the client generated this value honestly?
  4. Does the protocol need to be compatible with the ability to work in the face of event-noising. See WICG/conversion-measurement-api#111
  5. Does the protocol need to be compatible with the ability for this system to also work for aggregate reports (something like what is described in https://github.com/WICG/conversion-measurement-api/blob/main/SERVICE.md)

Given that there is limited time in the F2F, it seems useful to see if we can answer some of these questions async and spend that limited F2F time for the most difficult questions. cc @johnwilander, @csharrison, and @chris-wood, I've pulled these requirements and questions from your comments on #41.
@eriktaubeneck
Copy link
Author

eriktaubeneck commented May 13, 2021
edited
Loading

For question 7, unless I am misunderstanding something about the protocol, I believe that this needs to be random. The flow, as I understand the blind signature process is:

  1. Client: Generate random nonce
  2. Client: Blind(nonce), send to server
  3. Server: Sign(Blind(nonce)), send to client
  4. Client: Unblind(Sign(Blind(nonce)) -> Sign(nonce)
  5. Client: wait for report, send with (Sign(nonce), nonce) to server
  6. Server: Validate Sign(nonce) is a valid signature of nonce.

If the nonce is predictable, then the server would be able to effectively guess the nonce in Step 3, and if the server knows the nonce in Step 3, they can link a report sent in Step 5 back to the original signing request.

Please let me know if I'm potentially misunderstanding this. This is essentially the clarification/correction I'm proposing in #81.

@csharrison
Copy link

cc @davidvancleve

@hober
Copy link
Member

hober commented May 13, 2021

cc @FredericJacobs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hober @eriktaubeneck @csharrison