Re: JShelter and cloudflare challenges

[Libor Polčák]

hf napsal(a):
> Websites that use the cloudflare JS challenge or cloudflare under-attack-mode
> (with the captcha) don't work while JShelter is on.
>
> It requires WebWorkers at the minimum and some other stuff i didn't track down
> yet. They only work with JShelter being off... and i am sure they will never
> work with any half-decent fingerprint protection.
>
> Is there a way to whitelist the cloudflare scripts only, without having to
> whitelist the whole domain?

Hello hf,

is the problem you describe the same as 
https://www.zabbix.com/forum/zabbix-help/? Can you give us more examples of 
pages suffering from the problem?

About whitelisting only some scripts:

Short answer: no, JShelter patches the JS environment that is common to all the 
scripts included in the page. There is currently no way to say that a script 
injected from domain X should see function X as Worker while another script 
should see function Y as Worker.

Long answer: technically, there are two approaches to solve the issue.

Approach 1: Intercept HTTP replies containing scripts from some domains and 
patch the code, like replacing all calls to Worker with calls to 
WorkerJShelteraabbccddeeff... I see at least two downsides of this approach. 
Firstly, an obfuscated code is not possible to patch this way. Secondly, we 
would need to create functions that these privileged scripts would calls. 
However, these scripts should be available to privileged scripts only. My 
proposed way contains the string aabbccddeeff... for this reason. By creating a 
random value for each page refresh, we might try to hide from other scripts, 
but malicious scripts could try to brute force the search for the current 
value. With sufficient length of the random part, we could motivate the 
adversary not to try brute force. However, malicious scripts could go for more 
clever ways to uncover the current unwrapped name like:

for(var prop in window){
  if (prop.startsWith("WorkerJShelter")) {
        console.log(prop); // Replace with some malicious code
  }
}


Approach 2: Current wrapped function can learn the identity of the callers and 
detect the origin of the scripts (see 
https://pagure.io/JShelter/webextension/issue/52). However, the approach is 
slow. So a possible solution to the problem is to let users explicitly ask to 
apply lower protection for some scripts with the warning of receiving 
performance hit? Additionally, the question is how to design the UI and 
actually implement the functionality.


Some additional answer: The problem is in Cloudflare detecting that some 
fingerprinting protection is being applied. Maybe the first step should go in 
the direction of studying Cloudflare way of detecting fingerprinting and 
finding way to prevent the detection.


Do you have any thoughts on my thoughts?

Libor