this is a proof-of-concept implementation for verified click reporting without linkage between click and reporting event. this repo should not be considered secure, and is only a demo.
You need to have the following components installed
- Python3
- nodejs
- npm
- browserify :
npm install -g browserify
Within a python3 virtual environment, run
pip install -r requirements.txt
then run
make dev
to run the tests, run
nose2
this relies on a simple chrome extension to handle the flow on the user side. To load the extension open your chrome browser and navigate to
chrome://extensions
from this page click the slider in the upper right corner to enter "developer mode", if you are not already.
once in dev mode, click 'load unpacked' in the upper left corner, then select the chrome directory of this repository.
That's it! the extension is loaded. You should now see it appear on the page with options to see details, remove, refresh, or disable along the bottom.
See the chrome-dev/README.md for more development details.
For simplicity, when running locally, all urls below would be prepended with localhost:5000/. in reality, source-domain.com and destination-domain.com would be entirely different domains, and blinding-service.com would be internalized in the browser.
To begin:
- Use Chrome to navigate to source-domain.com
- Click a button on this page. The following will occur:
- user clicks an link to destination-domain.com at source-domain.com. this is tagged with a
click_data_srcand acsrf_token. - the browser generates random bytes to use as a nonce.
- user clicks an link to destination-domain.com at source-domain.com. this is tagged with a
- Provided you are using the Chrome plugin as per set up above, click binding will then occur:
- the browser gets a public RSA key from
source-domain.com/.well-known/public-key/destination-domain.com/<click_data_src> - the browser generates random bytes to us a blinding factor.
- the browser blinds the nonce with the public RSA key and the blinding factor.
- the browser posts the destination domain (destination-domain.com), click_data_src, blind nonce and the csrf_token to
source-domain.com/.well-known/blind-signing - source-domain.com verifies the csrf_token and returns a signature of the blind nonce
- the browser unblinds the signature and verifies it with the public key
- the browser gets a public RSA key from
- When a user clicks an "Event" button on destination-domain.com:
- destination-domain.com sends to the browser report interface report data, priority, and a csrf_token
- Provided you are using the Chrome plugin as per set up above, report binding will then occur:
- the browser gets a public RSA key from
destination-domain.com/.well-known/public-key/<report_data_dest> - the browser generates random bytes to us a blinding factor.
- the browser blinds the nonce with the public RSA key and the blinding factor.
- the browser posts the report data, blind nonce and the csrf_token to
destination-domain.com/.well-known/blind-signing - destination-domain.com verifies the csrf_token and returns a signature of the blind nonce
- the browser unblinds the signature and verifies it with the public key
- the browser gets a public RSA key from
- Finally, report generation will occur:
- the browser joins a click to
destination-domain.comwith an event ondestination-domain.com, and takes the report with the highest priority. - the browser posts the click data, the report data, the nonce, and both unblinded signatures to
source-domain.com/.well-known/report. source-domain.com is then able to verify both signatures from the public keys.
- the browser joins a click to
To validate each of these steps, you can follow in the Flask server logs, in the same terminal window as you ran make dev.
The client uses browserify to package js and related components. If you modify js, you need to run
./client/build