390 likes | 608 Views
Invasive Browser Sniffing and Countermeasures. Markus Jakobsson & Sid Stamm. Context Aware Attacks. Data about targets obtained Used to customize emails Yields higher vulnerability rate. Context: Social Networks. Mine site for relationships (Alice knows Bob)
E N D
Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm
Context Aware Attacks Data about targets obtained Used to customize emails Yields higher vulnerability rate
Context: Social Networks • Mine site for relationships(Alice knows Bob) • Spoof email from victim’s friend • People trust their friends (and that which spoofs them)
Context: Browser-Recon • Phisher mines browsers • Browsing history • Cached data • Attacker can discover affiliations • Easy to pair browser history with email address
GET /index.html GET /pics/pic1.jpg GET /pics/pic2.jpg Context: Cache Recon Pic1.jpg is Not in Cache … (pic1.jpg is not cached)
GET /index.html Context: Cache Recon Pic1.jpg IS in Cache … (pic1.jpg is cached)
GET pic1.jpg GET logout.jpg GET pic2.jpg Context: Cache Recon (Felten & Schneider, “Timing Attacks on Web Privacy”7th ACM Conference in Computer & Communication Security, 2000.)
Context: History Recon What You See: The Code: <style> a { color: blue; } #id1:visited { color: red; } #id2:visited { color: red; } #id3:visited { color: red; } </style> <a id=id1 href=“x.com”>Link 1</a> <a id=id2 href=“y.com”>Link 2</a> <a id=id3 href=“z.com”>Link 3</a> Link 1 Link 2 Link 3
Context: History Recon What You See: The Code: <style> a { color: blue; } #id1:visited { background: url(‘e.com/?id=1’); } #id2:visited { background: url(‘e.com/?id=2’); } … </style> <a id=id1 href=“x.com”>Link 1</a> <a id=id2 href=“y.com”>Link 2</a> <a id=id3 href=“z.com”>Link 3</a> Link 1 Link 2 Link 3
Context: History Recon What You See: The Code: <style> a { color: blue; } #id1:visited { background: url(‘e.com/?id=1’); } #id2:visited { background: url(‘e.com/?id=2’); } … </style> <a id=id1 href=“x.com”></a> <a id=id2 href=“y.com”></a> <a id=id3 href=“z.com”></a>
GET /?IAM=alice@x.com (lots of links) GET /hit?id=1&IAM=alice@x.com GET /hit?id=42&IAM=alice@x.com Phisher can nowassociate Alice withlink 1 and 42 History Recon + Email Auto-Fill Identity Extraction
Solutions to Browser-recon • Client-Side Solutions: • Jackson, Bortz, Boneh Mitchell, “Protecting browser state from web privacy attacks”, To appear in WWW06, 2006. • CSS limiting • “User-Paranoia” (regularly clear history, cache, keep no bookmarks) • Server-Side Solution: • Make URLs impossible to guess
Solution Goals Requirements • Hard to guess any pages or resources served by SP • Search engines can still index and search SP
Solution Techniques • Two techniques: • Customize URLs with pseudonymshttp://chase.com/page.html?39fc938f • Pollute Client State (fill cache/history with related sites not visited by client) • Hiding vs. obfuscating • Internal (protected) URLs hidden • Entry point (public) URLs obfuscated
S Solution to Browser-recon GET / C
T ST SB Solution to Browser-recon GET /?13fc021b GET / C Domain of S
Pseudonyms • Establishing a pseudonym • Using a pseudonym • Pseudonym validity check • Via Cookies • Via HTTP-REFERER • Via Message Authentication Codes
Pseudonyms • Robot Policies • Dealing with search engines • Robots.txt “standard” (no problem if cheating) • Pollution Policy • Pollute entrance URLs • How to choose pollutants? • What about links to offsite data? • Bookmarks?
GET /page.html?83fa029 GET /page.html Example Bank.com 10.0.0.1 C
Example <a href=‘http://www.g.com’>Go to G</a> <a href=‘http://10.0.0.1/login.jsp’>Log in</a> <img src=‘/img/hi.gif’> hm Bank.com 10.0.0.1 C
Example <a href=‘http://www.g.com’>Go to G</a> <a href=‘http://Bank.com/login.jsp’>Log in</a> <img src=‘/img/hi.gif’> hm Bank.com 10.0.0.1 C
Example <a href=‘http://Bank.com/redir?www.g.com’>Go to G</a> <a href=‘http://Bank.com/login.jsp’>Log in</a> <img src=‘/img/hi.gif’> hm Bank.com 10.0.0.1 C
Example <a href=‘http://Bank.com/redir?www.g.com?83fa029’>Go to G</a> <a href=‘http://Bank.com/login.jsp?83fa029’>Log in</a> <img src=‘/img/hi.gif?83fa029’> hm Bank.com 10.0.0.1 C
Example <a href=‘http://Bank.com/redir?www.g.com?83fa029’>Go to G</a> <a href=‘http://Bank.com/login.jsp?83fa029’>Log in</a> <img src=‘/img/hi.gif?83fa029’> T Bank.com 10.0.0.1 C
Policies • Offsite Redirection Policy • Data Replacement Policy • Client vs. Robot Distinction
Special Cases Shared/Transfer Pseudonyms Cache pollution reciprocity
SB ST Prototype Details • Java App simulating an HTTP server • Pseudonyms: 64-bit random number • java.security.SecureRandom • Experimental Client: • Shell script + CURL
General Considerations • Forwarding user-agent • Translate Cookies • Optimizations
? Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm