npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

private-request

v0.1.5

Published

A fetch wrapper that hampers traffic analysis

Downloads

4

Readme

A fetch wrapper that hampers traffic analysis, based on Signal's Expanding Signal GIF search article.

This README outlines the high-level ideas, see CONTRIBUTING.md for information about how to contribute to/build the project.

What's the idea here?

From Signal's article:[1]

If the Signal service were malicious, it could measure the amount of data being transmitted in order to discern something about the GIFs being retrieved from GIPHY.

The most common way to mitigate an attack like that is through the introduction of plaintext padding. Including a random amount of padding at the end of each GIF would make it more difficult for the Signal service to correlate the amount of data it sees being transmitted with a known GIF.

We can also abuse range requests to simulate padding on content we don't control.

This package uses range requests to split a request into segments with some padding.

What does this mean in practice?

Using range requests we can turn 1 request for a N₁-byte resource into M requests for N₂-bytes, where:

  1. N₁ ≥ N₂; and
  2. (M × N₂) ≥ N₁

(At the time of writing the diagram in the Signal article has inconsistent segment sizes, so there is a different example below.)

Example

Pretend there is a 9-byte resource we want to request (N₁), and we pick a segment size of 4 bytes (N₂).

Instead of making one 9-byte request, we can make three 4-byte requests:

The range requests for the three segments:

| Request | Range | Segment size | |---|---|---| | 1 | bytes=0-3 | 4 bytes | | 2 | bytes=4-7 | 4 bytes | | 3 | bytes=5-8 | 4 bytes |

We have requested the 5th, 6th, and 7th bytes twice and can discard the redundant copy.

Larger segment sizes

This package will use segment sizes a lot larger than 4 bytes, picking the smallest segment size (N₂) from the following list such that N₁ ≥ N₂ holds:

| 𝑥 | Unit | |---:|:---| | 10 | kibibytes | | 50 | kibibytes | | 100 | kibibytes | | 500 | kibibytes | | 1 | mebibyte |

What is the benefit?

With this approach we turn a request for 9 bytes into a request for 12 bytes, and hide the size of the resource. This makes it more difficult for an intermediary (e.g. a malicious proxy server) to know: is the client requesting three unrelated 4-byte resources or one 12-byte resource? (To which the answer is neither. 😏)

This comes at the cost of multiple extra network calls and bytes on the wire—a steep cost in some scenarios.

Quick start

NOTE: this package requires a random number generator that will produce uniform numbers, preferably one which is cryptographically sound. One option is pure-random-number, which is available for both browsers and Node.

To install and use the package:

$ yarn add private-request pure-random-number
import pr from 'private-request';
import randomNumber from 'pure-random-number';

const rng = async (min, max) => randomNumber(min, max);
const fetch = pr({ rng });
// Use as you would `window.fetch`

Tests

To run the test suite locally:

$ yarn
$ yarn build:data
$ yarn start:server
$ yarn test

To run the e2e tests, visit localhost:8001 in a browser.

License

This repository is available under the ISC License. See LICENSE.md.

On CORS

The ability to perform range requests on the web requires the correct CORS headers.

Namely:

Remember that the following environments do not enforce CORS:

  • React Native

    The security model for XMLHttpRequest is different than on web as there is no concept of CORS in native apps.

  • Web extensions

    [CORS is not enforced] in the background and popup pages if the extension has those domains in their manifest permissions