« BackEphemeral IDs: a new tool for fraud detectionblog.cloudflare.comSubmitted by leiferik 11 hours ago
  • amanda99 9 hours ago

    Does not explain how this magic technology works.

    • throwaway2016a 4 hours ago

      Exactly, the "how it works" section ironically does not actually explain much.

      I would love to know how this differs from fingerprinting. And if it is just fingerprinting it seems like it'd probably be trivial to bypass. Especially since it appears that you have a way to check your ID so you could potentially experiment with different ways to affect it.

      • janice1999 9 hours ago

        Exactly, also "without compromising user privacy" - let them prove it. We all know Cloudflare is a giant US based Man-In-The-Middle of the internet answerable to US secret courts and now it explicitly fingerprints internet users across IPs.

        • aftbit 9 hours ago

          Well of course not, because if they did so then:

          1. Fraudsters would be able to game/bypass them more easily

          2. Customers would be able to hold them accountable more easily

          It is not in Cloudflare's best interest to explain their anti-fraud technology. The same thing applies to basically anyone doing anti-fraud by the way. Try asking a bank why they declined your transaction, or closed your account.

          • espadrine 9 hours ago

            We can make informed guesses. Such attackers likely use the same TCP stack and datacenter within the attack, so perhaps the cipher suite, the latency (based off the Date header?), the OS, the UA, the set of HTTP headers sent, are some of the signals they use.

            What other aspects could they harness?

            • aftbit 8 hours ago

              They can use at least everything available up to the end of the first HTTP request:

              * IP path selected & latency

              * TCP TTL, window settings & extensions

              * TLS ClientHello: extensions, ciphers, hash algos, etc

              * HTTP/2 settings & behavior

              * HTTP request headers

              If you're interested in digging further into this set, look up JA3, which has variants that address most or all of those above.

              If they redirect you to an intermediate page, their attack surface gets much larger, including everything in the JavaScript APIs and browser behavior.

              * Extended client hints

              * Canvas fingerprint

              * WebGPU fingerprint

              * WebRTC fingerprint

              * TTS voices

              * Fonts

              * Battery state

              * <link> preload behavior and timing

              (and the list goes on and on and on, because browsers are huge and only slightly designed for privacy)

              This is assuming they aren't willing to use any of the persistent state techniques, like cache poisoning, HSTS pinning, or simple old cookies.

              These are mostly useful for catching cases where someone is trying to lie about which OS or browser they are using, or where they are using the same machine and instrumented browser foolishly.

          • idfabric 8 hours ago

            What are the browser attributes and signals collected ?Wonder if the attacker spoof them anyway!!

            • undefined 9 hours ago
              [deleted]