Cymbidium
  • Summary
Do not allow third parties to track our IP addresses. (especially third parties who have made VRChat a target of their business)
This can be done either by deploying a reverse proxy for partners or by deploying an option that allows denial of individual URLs.
  • Details
As previously mentioned in the following ticket, the Trusted url was already not a trusted url and could connect to dangerous sites without consent.
https://feedback.vrchat.com/feature-requests/p/must-be-able-to-deny-access-to-trusted-url
VRChat Inc seems to think that disabling the cookie will solve the problem, but there are still tracking concerns, and those concerns have recently moved one step closer to reality.
Although *.poly.jp has been added to the Trusted URL List, the management of the vrceve.poly.jp subdomain has been transferred to an organization called "VRChat Event Calendar".
The event calendar, an asset distributed by the "VRChat Event Calendar," is intended to be placed in a number of worlds.
This means that if this organization were to send URLs with individual values for each world, it would be possible to link IP addresses (i.e., user identifiers) to the history of world movement.
It is also not hard to imagine that the asset could be modified to allow usernames to be retrieved in various worlds.
And these can be easily updated by VCC, so changes can be made without the user noticing.
The "allow untrusted url" checkbox no longer works, and we are currently just waiting for our tracking information to be provided to third parties without our consent and used for marketing and other business.
As mentioned above, even IP addresses can be used for tracking and automatic access to TrustedURL is very dangerous.
These are not issues that can be solved by disabling cookies, meaning that tracking begins as soon as the access is made. (Perhaps this is why the GDPR also covers IP addresses for protection.)
Therefore, VRChat needs to take one of the following actions or similar
  1. ensure that access to organizations to which VRChat Inc has granted permission to connect is through a reverse proxy, filtering out IP addresses, headers, and other information that could identify users
Relatively secure Trusted URL services can be provided, but maintenance costs will increase.
  1. eliminate the Trusted URL system and allow users to set access permissions on a per-URL basis.
This is the most legally sound approach, but has the disadvantage of slightly increasing the burden on the user side, and may not be compatible with VRChat's current business model related to partner registration.
  1. allow users to reject individual URLs included in Trusted URLs.
There is a similar issue to 2.
  • appendix
Tying user names to user behavior tracking can be done as follows
  1. check if the IP address is registered in the database
  2. if it is not registered, return a response instructing the client side to send the user name.
  3. using the list of URLs (about tens of thousands/10MB) embedded in the asset for sending information, send a few bytes every 5 seconds.
  4. record the access to the unique URL set for each world and the IP address from which the connection was made in the database.
Also note that these do not have to be tied to usernames, but just tying IP addresses to user behavior is a threat.
In addition, note that these are not actually happening, but the fact that they can is problematic.