Most active commenters
  • NavinF(4)
  • gruez(3)
  • nonrandomstring(3)

←back to thread

Curl-impersonate: Special build of curl that can impersonate the major browsers

(github.com)
545 points mmh0000 | 19 comments | 03 Apr 25 15:24 UTC | HN request time: 0.001s | source | bottom
Show context
jchw ◴[03 Apr 25 16:40 UTC] No.43572243[source]
I'm rooting for Ladybird to gain traction in the future. Currently, it is using cURL proper for networking. That is probably going to have some challenges (I think cURL is still limited in some ways, e.g. I don't think it can do WebSockets over h2 yet) but on the other hand, having a rising browser engine might eventually remove this avenue for fingerprinting since legitimate traffic will have the same fingerprint as stock cURL.
replies(6): >>43572413 #>>43573011 #>>43574225 #>>43576912 #>>43580376 #>>43583469 #
nonrandomstring ◴[03 Apr 25 19:25 UTC] No.43574225[source]
When I spoke to these guys [0] we touched on those quirks and foibles that make a signature (including TCP stack stuff beyond control of any userspace app).

I love this curl, but I worry that if a component takes on the role of deception in order to "keep up" it accumulates a legacy of hard to maintain "compatibility" baggage.

Ideally it should just say... "hey I'm curl, let me in"

The problem of course lies with a server that is picky about dress codes, and that problem in turn is caused by crooks sneaking in disguise, so it's rather a circular chicken and egg thing.

[0] https://cybershow.uk/episodes.php?id=39

replies(2): >>43574560 #>>43575789 #
immibis ◴[03 Apr 25 19:53 UTC] No.43574560[source]
What should instead happen is that Chrome should stop sending as much of a fingerprint, so that sites won't be able to fingerprint. That won't happen, since it's against Google's interests.
replies(1): >>43574900 #
1. gruez ◴[03 Apr 25 20:22 UTC] No.43574900[source]
This is a fundamental misunderstanding of how TLS fingerprinting works. The "fingerprint" isn't from chrome sending a "fingerprint: [random uuid]" attribute in every TLS negotiation. It's derived from various properties of the TLS stack, like what ciphers it can accept. You can't make "stop sending as much of a fingerprint", without every browser agreeing on the same TLS stack. It's already minimal as it is, because there's basically no aspect of the TLS stack that users can configure, and chrome bundles its own, so you'd expect every chrome user to have the same TLS fingerprint. It's only really useful to distinguish "fake" chrome users (eg. curl with custom header set, or firefox users with user agent spoofer) from "real" chrome users.
replies(2): >>43574983 #>>43584170 #
2. dochtman ◴[03 Apr 25 20:30 UTC] No.43574983[source]
Part of the fingerprint is stuff like the ordering of extensions, which Chrome could easily do but AFAIK doesn’t.

(AIUI Google’s Play Store is one of the biggest TLS fingerprinting culprits.)

replies(2): >>43575010 #>>43575074 #
3. gruez ◴[03 Apr 25 20:32 UTC] No.43575010[source]
What's the advantage of randomizing the order, when all chrome users already have the same order? Practically speaking there's a bazillion ways to fingerprint Chrome besides TLS cipher ordering, that it's not worth adding random mitigations like this.
4. shiomiru ◴[03 Apr 25 20:37 UTC] No.43575074[source]
Chrome has randomized its ClientHello extension order for two years now.[0]

The companies to blame here are solely the ones employing these fingerprinting techniques, and those relying on services of these companies (which is a worryingly large chunk of the web). For example, after the Chrome change, Cloudflare just switched to a fingerprinter that doesn't check the order.[1]

[0]: https://chromestatus.com/feature/5124606246518784

[1]: https://blog.cloudflare.com/ja4-signals/

replies(2): >>43575406 #>>43576104 #
5. nonrandomstring ◴[03 Apr 25 21:05 UTC] No.43575406{3}[source]
> blame here are solely the ones employing these fingerprinting techniques,

Sure. And it's a tragedy. But when you look at the bot situation and the sheer magnitude of resource abuse out there, you have to see it from the other side.

FWIW the conversation mentioned above, we acknowledged that and moved on to talk about behavioural fingerprinting and why it makes sense not to focus on the browser/agent alone but what gets done with it.

replies(1): >>43576317 #
6. fc417fc802 ◴[03 Apr 25 22:12 UTC] No.43576104{3}[source]
> The companies to blame here are solely the ones employing these fingerprinting techniques,

Let's not go blaming vulnerabilities on those exploiting them. Exploitation is also bad but being exploitable is a problem in and of itself.

replies(2): >>43579898 #>>43587654 #
7. NavinF ◴[03 Apr 25 22:38 UTC] No.43576317{4}[source]
Last time I saw someone complaining about scrapers, they were talking about 100gib/month. That's 300kbps. Less than $1/month in IP transit and ~$0 in compute. Personally I've never noticed bots show up on a resource graph. As long as you don't block them, they won't bother using more than a few IPs and they'll backoff when they're throttled
replies(3): >>43576459 #>>43577683 #>>43579340 #
8. marcusb ◴[03 Apr 25 22:55 UTC] No.43576459{5}[source]
For some sites, things are a lot worse. See, for example, Jonathan Corbet's report[0].

0 - https://social.kernel.org/notice/AqJkUigsjad3gQc664

replies(1): >>43596528 #
9. lmz ◴[04 Apr 25 02:23 UTC] No.43577683{5}[source]
How can you say it's $0 in compute without knowing if the data returned required any computation?
replies(1): >>43596554 #
10. nonrandomstring ◴[04 Apr 25 07:39 UTC] No.43579340{5}[source]
Didn't rachelbytheebay post recently that her blog was being swamped? I've heard that from a few self-hosting bloggers now. And Wikipedia has recently said more than half of traffic is noe bots. ARe you claiming this isn't a real problem?
replies(1): >>43596544 #
11. shiomiru ◴[04 Apr 25 09:18 UTC] No.43579898{4}[source]
> Let's not go blaming vulnerabilities on those exploiting them. Exploitation is also bad but being exploitable is a problem in and of itself.

There's "vulnerabilities" and there's "inherent properties of a complex protocol that is used to transfer data securely". One of the latter is that metadata may differ from client to client for various reasons, inside the bounds accepted in the standard. If you discriminate based on such metadata, you have effectively invented a new proprietary protocol that certain existing browsers just so happen to implement.

It's like the UA string, but instead of just copying a single HTTP header, new browsers now have to reverse engineer the network stack of existing ones to get an identical user experience.

replies(1): >>43580006 #
12. fc417fc802 ◴[04 Apr 25 09:40 UTC] No.43580006{5}[source]
I get that. I don't condone the behavior of those doing the fingerprinting. But what I'm saying is that the fact that it is possible to fingerprint should in pretty much all cases be viewed as a sort of vulnerability.

It isn't necessarily a critical vulnerability. But it is a problem on some level nonetheless. To the extent possible you should not be leaking information that you did not intend to share.

A protocol that can be fingerprinted is similar to a water pipe with a pinhole leak. It still works, it isn't (necessarily) catastrophic, but it definitely would be better if it wasn't leaking.

13. RKFADU_UOFCCLEL ◴[04 Apr 25 15:51 UTC] No.43584170[source]
What? Just fix the ciphers to a list of what's known to work + some safety margin. Each user needing some different specific cipher (like a cipher for horses, and one for dogs), is not a thing.
replies(1): >>43585002 #
14. gruez ◴[04 Apr 25 16:52 UTC] No.43585002[source]
>Just fix the ciphers to a list of what's known to work + some safety margin.

That's already the case. The trouble is that NSS (what firefox uses) doesn't support the same cipher suites as boringssl (what chrome uses?).

15. Jubijub ◴[04 Apr 25 21:14 UTC] No.43587654{4}[source]
I’m sorry but you comment shows you never had to fight this problem a scale. The challenge is not small time crawlers, the challenge is blocking large / dedicated actors. The problem is simple : if there is more than X volume of traffic per <aggregation criteria >, block it. Problem : most aggregation criteria are trivially spoofable, or very cheap to change : - IP : with IPv6 this is not an issue to rotate your IP often - UA : changing this is scraping 101 - SSL fingerprint : easy to use the same as everyone - IP stack fingerprint : also easy to use a common one - request / session tokens : it’s cheap to create a new session You can force login, but then you have a spam account creation challenge, with the same issues as above, and depending on your infra this can become heavy

Add to this that the minute you use a signal for detection, you “burn” it as adversaries will avoid using it, and you lose measurement thus the ability to know if you are fixing the problem at all.

I worked on this kind of problem for a FAANG service, whoever claims it’s easy clearly never had to deal with motivated adversaries

replies(1): >>43595929 #
16. immibis ◴[05 Apr 25 19:01 UTC] No.43595929{5}[source]
Should be easy enough to create a DroneBL for residential proxy services. Since you work on residential proxy detection at a FAANG service, why haven't you done it yet?

If they're doing things the above-board way from their own ASN, block their ASN.

If they're doing things the above-board way from third-party hosting providers, send abuse reports. Late last year there was a commotion because someone was sending single spoofed SSH SYN packets, from the addresses of Tor nodes, to organizations with extremely sensitive security policies. Many people with Tor nodes got threats of being banned from their hosting provider, over a single packet they didn't even send. They're definitely going to ban people who are doing actual DDoSes from their servers.

DDoS is also a federal crime, so if you and they are in the USA, you might consider trying to get them put in prison.

17. NavinF ◴[05 Apr 25 20:22 UTC] No.43596528{6}[source]
He provides no info. req/s? 95%ile mbps? How does he know the requests come from an "AI-scraper" as opposed to a normal L7 DDoS? LWN is a pretty simple site, it should be easy to saturate 10G ports
18. NavinF ◴[05 Apr 25 20:24 UTC] No.43596544{6}[source]
How exactly can a blog get swamped? It takes ~0 compute per request. Yes I'm claiming this is a fake problem
19. NavinF ◴[05 Apr 25 20:25 UTC] No.43596554{6}[source]
Look at the sibling replies. All the kvetching comes from blogs and simple websites, not the ones that consume compute per request