I STILL KNOW WHAT YOU VISITED LAST SUMMER User Interaction And Side Channel Attacks On Browser History Zachary Weinberg Eric Y. Chen Pavithra Ramesh Jayaraman.

Slides:

Advertisements

Similar presentations

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.

Advertisements

In this lecture, you will learn: ❑ How to link between pages of your site ❑ How to link to other sites ❑ How to structure the folders on your web site.

CSS cont. October 5, Unit 4. Padding We can add borders around the elements of our pages To increase the space between the content and the border, use.

CSS BASICS. CSS Rules Components of a CSS Rule  Selector: Part of the rule that targets an element to be styled  Declaration: Two or more parts: a.

Lesson 12- Unit L Programming Web Pages with JavaScript.

17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

Zachary Weinberg Eric Y. Chen Pavithra Ramesh Jayaraman Collin Jackson Carnegie Mellon University I Still Know What You Visited Last Summer I Still Know.

Context-Aware Phishing Attacks and Client-Side Defenses Collin Jackson Stanford University.

Web Accessibility Tests Using the Firefox Browser ACCESS to Postsecondary Education through Universal Design for Learning.

Web Privacy Topics Andy Zeigler Senior Program Manager, Internet Explorer Microsoft.

Chapter 9 Introduction to the Document Object Model (DOM) JavaScript, Third Edition.

Chapter 2 Introduction to HTML5 Internet & World Wide Web How to Program, 5/e Copyright © Pearson, Inc All Rights Reserved.

Web Design Basic Concepts.

IMAGES Controlling size of images in CSS Aligning images in CSS Adding background images.

© 2011 Delmar, Cengage Learning Chapter 2 Developing a Web Page.

INTRODUCTION TO DHTML. TOPICS TO BE DISCUSSED……….  Introduction Introduction  UsesUses  ComponentsComponents  Difference between HTML and DHTMLDifference.

Introduction to Interactive Media 06: Text: Static Interactive Media Component.

Prevent Cross-Site Scripting (XSS) attack

Dynamic Web Pages (Flash, JavaScript)

Using Styles and Style Sheets for Design

Chapter 2 Developing a Web Page. Chapter 2 Lessons Introduction 1.Create head content and set page properties 2.Create, import, and format text 3.Add.

5 Chapter Five Web Servers. 5 Chapter Objectives Learn about the Microsoft Personal Web Server Software Learn how to improve Web site performance Learn.

Chapter 2 Developing a Web Page. A web page is composed of two distinct sections: –The head content –The body Creating Head Content and Setting Page Properties.

10 Adding Interactivity to a Web Site Section 10.1 Define scripting Summarize interactivity design guidelines Identify scripting languages Compare common.

HTML, XHTML, and CSS Sixth Edition Chapter 1 Introduction to HTML, XHTML, and CSS.

Web Page Design. Some Terms Cascading Style Sheet, (CSS) –a style sheet language used to describe the look and formatting of a document written in html;

Tutorial 4: Working with Hyperlinks. Objectives Session 4.1 – Place bookmarks on a Web page – Create a link to a bookmark – Create a link to another Web.

Chapter 8 Cookies And Security JavaScript, Third Edition.

JavaScript, Fourth Edition

Chapter 2 Developing a Web Page. A web page is composed of two distinct sections: – The head content – The body Creating Head Content and Setting Page.

Web Spoofing Steve Newell Mike Falcon Computer Security CIS 4360.

Introduction to Interactive Media Interactive Media Components: Text.

Introduction to Programming the WWW I CMSC Summer 2003 Lecture 7.

WDMD 170 – UW Stevens Point 1 WDMD 170 Internet Languages eLesson: HTML/XHTML Tables (NON-audio version) © Dr. David C. Gibbs

 Good navigation is consistent, clearly labeled, and reflects the needs of the site’s audience.  Navigation labels are short, clear, and user-friendly.

BeamAuth : Two-Factor Web Authentication with a Bookmark 14 th ACM Conference on Computer and Communications Security Ben Adida Presenter : SJ Park.

How the Web Works Building a Website – Lesson 1. How People Access the Web Browsers People access websites using software called a web browser. To view.

Web Privacy Topics Andy Zeigler Senior Program Manager, Internet Explorer Microsoft.

Microsoft Expression Web 3 – Illustrated Unit F: Enhancing a Design with CSS.

HTML (Hyper Text Markup Language) Lecture II. Review Writing HTML files for web pages – efficient compact – fundamental. Text files with htm extension.

Web Design (12) CSS Introduction. Cascading Style Sheets - Defined CSS is the W3C standard for defining the presentation of documents written in HTML.

Spiderman ©Marvel Comics Creating Web Pages (part 1)

Chapter 1 Introduction to HTML, XHTML, and CSS HTML5 & CSS 7 th Edition.

Document Object Model Nasrullah. DOM When a page is loaded,browser creates a Document Object Model of the Page.

1 Utkarsha MishraCOMPSCI 725 David Silver, Suman Jana, Eric Chen, Collin Jackson, and Dan Boneh. “Password Managers: Attacks and Defenses.” In Proceedings.

Project 7: Exploring DHTML Essentials for Design JavaScript Level Two Michael Brooks.

Learning Aim C.  Creating web pages involves many considerations.  In this section we will look at the different software tools you can use and how.

SE-2840 Dr. Mark L. Hornick 1 Dynamic HTML Making web pages interactive with JavaScript.

introductionwhyexamples What is a Web site? A web site is: a presentation tool; a way to communicate; a learning tool; a teaching tool; a marketing important.

Introduction. Internet Worldwide collection of computers and computer networks that link people to businesses, governmental agencies, educational institutions,

By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,

The Internet Salihu Ibrahim Dasuki (PhD) CSC102 INTRODUCTION TO COMPUTER SCIENCE.

Windows Vista Configuration MCTS : Internet Explorer 7.0.

SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.

Working with Cascading Style Sheets

Objective % Select and utilize tools to design and develop websites.

Web Site Development and Macromedia Dreamweaver 8

Chapter 2 Developing a Web Page.

Learning the Basics – Lesson 1

Objective % Select and utilize tools to design and develop websites.

Introduction to web design discussing which languages is used for website designing

Dynamic Web Pages (Flash, JavaScript)

Introduction to Internet Programming

Hyperlinks, Images and Tables

Objective Understand web-based digital media production methods, software, and hardware. Course Weight : 10%

Hyperlinks, Images and Tables

Exercise 9 Skills You create and use styles to create formatting rules that can easily by applied to other pages in the Web site. You can create internal.

HTML5 and Local Storage.

Client-Server Model: Requesting a Web Page

Presentation transcript:

I STILL KNOW WHAT YOU VISITED LAST SUMMER User Interaction And Side Channel Attacks On Browser History Zachary Weinberg Eric Y. Chen Pavithra Ramesh Jayaraman Collin Jackson IEEE Symposium on Security and Privacy, May 2011

Introduction : History Sniffing  Unintended consequence of combination of three independently desirable features  Visited-link indication to the user  CSS control of all aspects of page appearance  JavaScript monitoring of page rendering

How can history sniffing be used?  Benign:  Websites could use history sniffing to determine whether their users have visited known phishing sites.  Websites could seed visitors’ history with URLs made up for the purpose, and use the URLs to re-identify their visitors.  Malicious:  Track visitors across sites for advertising purpose, determining whether they also visit a site’s competitors.  Attackers can construct more targeted phishing pages, by impersonating only sites that a particular victim is known to visit

Automated attacks

Direct Sniffing  Javascript checks link colour through Document Object Model (DOM)  DOM uses “computed style” of HTML element to collect CSS properties  Malicious site can create hyperlinks for some sites and can then check if those links have indeed been visited by user

Indirect Sniffing  Make visited and unvisited links take different amounts of space, which causes unrelated elements on the page to move; inspect the positions of those other elements.  Make visited and unvisited links cause different images to load.

Side Channel Attacks  Timing attacks  Attacker can make the page take longer to lay out if a link is visited than if it is unvisited

Defense against History Sniffing  L. David Baron, 2010  Make getComputedStyle act as though all links are unvisited  Request all images mentioned in CSS at once  Limit the CSS properties that can be used to style visited links to color, background-color, border- color, outline-color, column-rule-color, fill, and stroke

Interactive Attacks

Word CAPTCHA  Each word is a hyperlink to an URL that the attacker wishes to probe  If unvisited, it is drawn in the same color as the background

Character CAPTCHA  Seven-segment LCD symbols  Every letter represents 3 URLs

Chessboard Puzzle  Each square contains a URL  Only the pawns corresponding to visited sites are made visible

Pattern Matching Puzzle

Success Rate

Conclusion  Automated history sniffing attacks have successfully been blocked by Baron’s solution  Interactive attacks cannot be blocked

References  L. D. Baron. (2002) :visited support allows queries into global history. Mozilla bug  D. Jang, R. Jhala, S. Lerner, and H. Shacham, “An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications,” in ACM Conference on Computer and Communications Security (CCS), 2010