New JavaScript-Based Timing Attack Steals All Browser Source Data

Trailrunner7 writes "Security researchers have been warning about the weaknesses and issues with JavaScript and iframes for years now, but the problem goes far deeper than even many of them thought. A researcher in the U.K. has developed a new technique that uses a combination of JavaScript-based timing attacks and other tactics to read any information he wants from a targeted user's browser and sites the victim is logged into. The attack works on all of the major browsers and researchers say there's no simple fix to prevent it."

Yes, there is a simple fix

Disable Javascript.

Re:Yes, there is a simple fix

Disable Javascript.

You might as well stay off of the Web then.

I tried that a couple of times and I couldn't do any banking, use my brokerage account, use any financial sites, all other content would not show correctly.

Unfortunately, JavaScript has become a necessity for the Web.

I can't think of any website that actually worked without it.

Re:Yes, there is a simple fix

[Joce640k]

You could try enabling it on your bank's website.

Re:Yes, there is a simple fix

[dicobalt]

NoScript is your friend.

Re:Yes, there is a simple fix

[gl4ss]

or add random delays to drawing and fix the bugs which allow viewing of other sites sources and screenshotting.

those are really the bigger thing than finding out if a link has a visited class applied on it or not.

Re:Yes, there is a simple fix

[J_Darnley]

Only because devs expect to be abe to use it. Interactive websites worked before the lastest fad for JS, and they still do! As for one that works without: you are on one!

Re:Yes, there is a simple fix

[noh8rz10]

web 1.0 ftw!

Re:Yes, there is a simple fix

[AchilleTalon]

Yes, adding random delays from the browser should fix the problem for the timing attack.

Re:Yes, there is a simple fix

[edrobinson]

Wrong. Take a look at the page source...

Re:Yes, there is a simple fix

The other fix is to only visit sites that don't store sensitive information in the page source and don't run arbitrary javascript form untrusted sources. Once an attacker is running whatever JS he wants in your browser, its kinda game over anyway. This doesn't seem like anything to be worried about, unless I'm missing something.

Re:Yes, there is a simple fix

Disable Javascript.

The fucking assholes in the Firefox project decided against all common sense to take away the option to disable javascript on a global/per site.
But hey, the modern rage is all about taking away options so...

Re:Yes, there is a simple fix

[J_Darnley]

I see lots of tags but I believe they are rendered completely ineffectual thanks to NoScript.

Re:Yes, there is a simple fix

[mark-t]

JS still runs in sandbox and can't access any information stored on your local machine that is not provided to it by the browser, nor, if the browser is running javascript correctly, will the browser's JS interpreter allow access to any information outside the page or any of its frames, that it is presenting to the user from where the javascript code started.

I don't see how any of these proposed attacks would affect somebody who, whenever they are going to go to a site that they may regularly use or have bookmarked, and which may have some confidential information, always manually opens a new tab or window first for the page to load in.

How is even a malicious javascript code on one web page going to see the the content of a page that I have manuallly opened up in an entirely separate window?

Re:Yes, there is a simple fix

[Teun]

Today I booted up the WinXP partition on a netbook that normally runs Kubuntu, last time was over a year ago and I thought why not update now it's still possible.

Java popped up explaining there was an update and I let it install.
Once the install was done I was surprised by being asked my permission to run a check on the Java website, I was even given the option to tick a box to 'always trust Java from this publisher'.

Does the latest Java version now have such a site by site or publisher dependent protection build in?

Re: Yes, there is a simple fix

[h2oliu]

Not all sites use their own code. Malicious JavaScript through advertisements would provide an attack vector. (As described in the article.)

Re:Yes, there is a simple fix

[Opportunist]

You believe? What is this, faith based science? :)

Re:Yes, there is a simple fix

Not a realistic solution. Might as well say don't use the internet.

Re:Yes, there is a simple fix

[Concerned+Onlooker]

The article is not informative enough. For instance, malicious code determines what web sites you've visited based upon the rendering time for a link. However, that begs the question that it must require rendering a page that has the links someone is interested in finding out you're visited. The article doesn't elaborate much so it doesn't seem as though there is arbitrary access to the browsing history.

I would love to hear more from someone more knowledgable about this technique.

Re:Yes, there is a simple fix

Once again: Oracle Java Runtime Environment (JRE) is not Javascript. Please people - stop conflating Java with Javascript. They are very very different things.

as far as your off-topic Java question: JRE has had publisher checks for many versions. JRE 1.7.x did also add checks for unsigned code and defaults to prompting instead of just blindly running it.

Re:Yes, there is a simple fix

Other fix: disable iframes,

Re:Yes, there is a simple fix

[plover]

Javascript is cool for offering great content. But why would anyone allow JavaScript from non-primary-domain sources? Advertisers may want their readers to have an "rich, interactive, dynamic experience". Fine, they can offer that: on their site, after the users click over to your site from a static image.

The rest of the linked-in javascript out there is mostly analytics, which do not benefit you as a user.

And as a web site operator, you can be pretty sure that customers don't want to be pwned just because of a javascript brought in by your site. Should you really be linking to others that offer it?

The GP said "he's whitelisting everything." He's doing it wrong - allow the javascript from servers in the *.domain.com for any given page, then selectively enable it from sites that add on features you care about, like disqus and vimeo. It's not a long list, and once you've whitelisted vimeo and vimeocdn for one site, you're not constantly enabling them on others.

Re:Yes, there is a simple fix

You believe? What is this, faith based science? :)

I believe so, yes.

Re:Yes, there is a simple fix

The only "great content" javascript offers is ads and intern-generated page bloat.

Re:Yes, there is a simple fix

[maxwell+demon]

I guess he could have studied the NoScript code (and the Firefox code it interacts with) in detail to make sure that NoScript indeed does what it is supposed to do in all cases. However he decided to not do that work, but instead to trust the author of NoScript to provide what he advertises. Probably encouraged by the fact that there seem to be no publicly known failures of NoScript in this regard.

Re: Yes, there is a simple fix

[maxwell+demon]

Only if it gets executed. Why would you enable the JavaScript from ad networks to execute on your browser?

Re:Yes, there is a simple fix

[squiggleslash]

Also disable CSS and HTML. You can never be too careful...

Re: Yes, there is a simple fix

[mark-t]

Why wouid any remotely reputable place that has any genuinely confidential information about a person be using third party javascript hosted elsewhere linked from a page where such confidential information might be getting used?

Re:Yes, there is a simple fix

[mrnobo1024]

How is even a malicious javascript code on one web page going to see the the content of a page that I have manuallly opened up in an entirely separate window?

It can't, but it can load that same page's URL in an iframe, and it will contain the same confidential information. Browsers try to prevent pages from reading the contents of cross-domain iframes, which is extremely difficult to do in a completely airtight manner. A much better solution would be not sending cookies on cross-domain requests and thus making it impossible for one site to load the secrets a different site is storing for you, but so far everybody is focused on treating the symptoms and not the disease.

Re:Yes, there is a simple fix

[plover]

Random delays only delay an attacker, they may not prevent it.

Let's say you had a reply that took 25 milliseconds if it was cached, and 75 milliseconds if it wasn't. To fix it, you add a delay from 0-100 milliseconds to a reply. The attacker would just have to repeat his attack about six times to see the average response time. He'd figure it out soon enough.

Re:Yes, there is a simple fix

So, this isn't an option for you, until after you've been had? At what point will the risk of attack (ie. loss of money) outweigh the usefulness of the sites? $100? $1000? $10000? For me, it's $0. Prevention is better than a cure, isn't it?

Re:Yes, there is a simple fix

[10101001+10101001]

You might as well stay off of the Web then.

Really? No other options, like, oh, pestering a lot of web site owners to stop using so much damn javascript that sites "need" it?

I tried that a couple of times and I couldn't do any banking, use my brokerage account, use any financial sites, all other content would not show correctly.

Well, there's your problem. What part of sanity is there in using the same session/cache/whatever for banking, your brokerage account, your financial sites, etc and "all other content"? Even if javascript wasn't shown to be exploitable, browsers are such leaky messes (no offense intended to the developers, but it's a pretty honest truth) that as much as using a VM just for your financial stuff sounds extreme, it's not really unreasonable. So, like, keep your financial stuff separate (use Firefox/Chrome for business and the other for everything else), preferably on an encrypted volume and you can keep your javascript on since there won't be anything "worth" stealing (or use three or use private browsing or disable javascript except for those few financial sites and clear the cache before/after and restart the browser before/after using those sites).

Unfortunately, JavaScript has become a necessity for the Web.

No. Fortunately, lots of websites have offered a very convenient filter where I can ask myself, "is it worth it to me to enable javascript to view their content" *before* I potentially get exploited. Because that's basically the situation now.

I can't think of any website that actually worked without it.

You can count Slashdot heavily in that. Technically it works, but it doesn't work well without javascript enabled.

As an aside: Tthis is why full disclosure is so damn important. The sooner the public is told, the sooner they can take action. It's only a few clicks to disable javascript, and now I can leave it off until either (a) the article is shown to be overly reactionary, (b) fixes are introduced, or (c) I decide to otherwise mitigate the risk (selective use manually or through an add-on, disabling parts that make me more vulnerable, etc). For all your talk about how much the web needs javascript, the truth is plenty of people (maybe not you) can actually live well enough without it most or all the time. Of course, I think some people (the GP might be one) just have it in for javascript because (a) it's a bad idea to have a turing complete language running from every website, (b) javascript causes all sorts of messes with web readers, different/limited browsers, and (c) situations like this make there appear to be so much lock-in to javascript that it's more of a pain to deal with. But, I think as reactionary as the GP's comment is (when the author was clearly speaking of fixing Javascript in the context of the vulnerabilities, not of per se fixing the javascript concept), I think your response is on the same scale. The second you see as javascript as a need instead of a useful too, javascript is clearly being used too badly to be accepted as is. That's why I mentioned complaining to website owners because that's where you have to start.

Re:Yes, there is a simple fix

[gl4ss]

well, always act like the link was visited before or like it never was.

getting the contents of iframes is the bigger issue here anyways, I'm not sure why he is making such a big deal about the timing attack since the timing attack in principle has nothing to do with the iframe contents peeking or the gfx effect filter bug ??

Re:Yes, there is a simple fix

Java has always had publisher validation for signed applets. The difference with signed applets is that, if the signature is "trusted", they get full run of your system outside the web applet sandbox.

For example, they can read, create, and/or modify any file in your client filesystem to which you have appropriate permissions, and they can do this without any further user interaction or prompts. I believe they can also open network connections which bypass the browser origin logic, so they can send and receive file data or launch attacks to anywhere reachable by your network connection.

Re:Yes, there is a simple fix

[akh]

A good defense against this kind of attack is to 1) use a per-page nonce, 2) use an HTTP POST for all page loads, and 3) use HTTPS for all traffic. On every page load the nonce present in the POSTed form is compared to the nonce stored on the server. If the nonces match then the page along with a new nonce is generated and returned to the client; the new nonce also replaces the old one on the server side. If the nonces do not match then an error is returned. Simply knowing the page's URL does not allow one to retrieve the page even if one is seen as being logged in (e.g. via a cookie). In addition, this technique provides a good deal of defense against replay attacks and session hijacking. Note, however, that this technique can be partially defeated if the attacker has some other way of retrieving the source of the actual page displayed in the user's browser. A full security analysis is left as an exercise for the reader ;^)

Re:Yes, there is a simple fix

Sorry, can't see your reply with javascript disabled. Users who aren't logged in wouldn't be able to change their comment score threshold setting. I don't know if they can change it while logged in, as I don't have an account myself.

Re:Yes, there is a simple fix

[plover]

The only "great content" javascript offers is ads and intern-generated page bloat.

JavaScript is not great content. JavaScript enables greatly increased usability of content.

Website owners can and should use the tools at their disposal to present and manipulate content in a way that makes it interesting, fun, informative, and usable. But that shouldn't extend beyond their data. They should also accept responsibility for the safe presentation of other content, like ads. And dynamic execution and safety are at opposite ends of the spectrum.

Re:Yes, there is a simple fix

[colinrichardday]

I can globally disable javascript on firefox: edit -> preferences -> content -> uncheck the enable javascript box. I don't know about per site.

Re:Yes, there is a simple fix

[Oligonicella]

Simply untrue, regardless of how you meant it.

Re:Yes, there is a simple fix

[marauder]

A lot of people load their JQuery libraries or whatnot from a CDN. In fact I think that's the preferred behaviour. There are multiple CDNs so the list is a bit longer and more annoying than you'd think.

Some links for background:
http://encosia.com/3-reasons-why-you-should-let-google-host-jquery-for-you/
http://royal.pingdom.com/2012/07/24/best-cdn-for-jquery-in-2012/

Re:Yes, there is a simple fix

I guess he could have studied the NoScript code (and the Firefox code it interacts with) in detail to make sure that NoScript indeed does what it is supposed to do in all cases. However he decided to not do that work, but instead to trust the author of NoScript to provide what he advertises. Probably encouraged by the fact that there seem to be no publicly known failures of NoScript in this regard.

Sure there are. You just can't see them is you have NoScript enabled...

Re:Yes, there is a simple fix

[kesuki]

i remember that before there was iframes there was a cool browser that let you make as many frames from multiple sources and did it all on a 486 with 8mb of ram. sadly aol bought it and killed the tech. it's not like tabs because with tabs each site is on it's own tab as big as the window, with multi framing browsers you can literally load dozens of websites, adjust their frame size and scroll content in interesting ways. it is superior to tabs in every way. you could for instance load a porn site in a 10x480 pixel frame and drag and resize when the coast was clear while you were waiting on it to load perhaps in a place where you wouldn't dare open porn. sure we don't wait for porn to download anymore but at the time we did and it was essential to not show the url of the loading porn pane/frame.

Re:Yes, there is a simple fix

You'd be surprised at how many legitimate sites are using iframes for things that would be very non-trivial to do without. Websites from large companies with multiple groups working on different aspects of a product will create a seemingly seamless experience by iframing one group's content into the other's.

Also, almost every single rich text editor on the web uses at least one iframe.

Also, the same tricks can be applied with traditional frames too, so you'd have to disable those as well.

Re:Yes, there is a simple fix

[pmontra]

As a noscript user I have to allow cloudflare or many sites don't work. Many sites don't degrade gracefully nowadays and they put their main js on accelerators like cloudflare.

Re:Yes, there is a simple fix

[datavirtue]

I'm using NoScript which is pretty simple and grants you a lot of control. It saves me bandwidth on my satellite connection and makes the pages load quicker. A lot of the good sites have a decent fallback as well. Facebook is much better without Javascript for instance.

Re:Yes, there is a simple fix

[jfengel]

Frenemy. Or rather, lots of web sites are my frenemies, scooping up Javascript from dozens of web sites with no clear indication that they're aware of the interactions or trustworthiness of those sites. Slate.com is my particular nemesis here; I once counted two dozen separate sites that would have had to be enabled before the site could run as its designers intended, some of them down 4 and 5 layers of indirection.

NoScript, who treats everybody as an enemy until told otherwise, requires an awful lot of hand-holding before permitting that. NoScript I trust (more or less) to be on my side, but lots of web site designers consider them the enemy, and that makes our mutual encounters... tense.

Re:Yes, there is a simple fix

[wonkey_monkey]

That doesn't sound very useful to me. You said AOL bought it and "killed the tech" but if it was really such an amazing interface someone else could have replicated it.

scroll content in interesting ways

What ways are there except for uppy-downy and lefty-righty? ;)

it is superior to tabs in every way. you could for instance load a porn site in a 10x480 pixel frame and drag and resize when the coast was clear

How is that any difference from switching between tabs? Or switching a separate browser window?

Re:Yes, there is a simple fix

[jfengel]

They also like to link to sites like jquery and google and other sites who are hosting basic Javascript features that they depend on. I'd just as soon they download it and serve it from their domain, but that way they get automatic, dynamic upgrades and bug fixes.

Re:Yes, there is a simple fix

This not what I see, usualy the JS asset version is locked, presumably so an auto-upgrade/bug-fix to the next version won't break the site.

Re:Yes, there is a simple fix

You know, I think I've heard of that before, didn't Xerox and Apple and Microsoft do that, and call the technology "windows" (not as in the trademark, but as in the thing on your screen) :P

Re:Yes, there is a simple fix

There are a few good uses of JS to grab stuff from other servers, like the Dilbert reader.

Re:Yes, there is a simple fix

[mark-t]

Of course it can load that URL in a frame, but you'd still have to *give* it that URL first.

For myself, whenever I am going to visit a website that isn't linked to the page I'm on, such as if I'm wanting to go to my bank's website or logging into gmail or whatnot, I *always* manually open a new window or tab first.

Re:Yes, there is a simple fix

[plover]

That considers only the performance viewpoint. As a web developer, it's valuable to him because A) he's not responsible for hosting the latest version himself, B) he's not paying to deliver it to his viewers, and C) his users can use their already cached version of the script they got visiting a different site.

Security wise, it's risky. If someone's encountered malware that's stored a poisoned version of jquery in their web-cache, and they go to your site, they're already pwned - and now they're on your site with your data!! Even more hilarious, when the bad guys deliver their malware script, they deliver it with a Cache-Control: max-age=86400*30, which means it will live for a month in the victim's cache.

If you want to host jquery on your own CDN, you're dealing with a "known-good" (or at least "known-clean") copy of the code. If you're trusting the user's browser to pull whatever copy they have out of their cache, you're begging to be a target.

Re:Yes, there is a simple fix

[foniksonik]

Analytics do benefit you as a user. That's how companies find out things. They find out what is popular so they can devote more resources to it.

Plenty of other examples but maybe you can think them through yourself.

Re:Yes, there is a simple fix

[Kinematics]

That option has been removed as of version 24 (and possibly version 23?).

Re:Yes, there is a simple fix

[plover]

Analytics allow site owners to see interesting data about their pages - how many visits, etc. The owners can theoretically improve their pages so I get a better experience. And it's free! Who doesn't love a free service?

But the well-known rule is that if someone's giving you something for free, you are the product, not the consumer. So they're selling you out the back end. Think about what they now have to sell.

The answer is that the analytics providers are tracking behavior from search to sale. They are able to tell their paying customers "people who search for 'XYZZY' are buying magic wands for an average of 30 gold pieces each. The higher they are on the search results, the closer they are to the average price. There are 10,000 queries for XYZZY from the US each day, and 500 of those result in sales. If you pay for an XYZZY adword, you'll see about 2,500 of those people. Half the people who searched for XYZZY went to MagicWandRatings.com before buying magic wands, and of those their readers chose PLUGH brand magic rods over XYZZY magic wands 10 to 1. Cart abandonment of 40 G.P. magic wands is at 80%, while card abandonment of 38 G.P. magic wands is at 70%."

The first thing my SEO guy is going to do is head to MagicWandRatings.com and create a couple dozen sock puppets to tout XYZZY wands. He's going to lie his butt off telling people that XYZZY wands are the fierce green snake's pyjamas. MagicWandRatings.com, once the most trusted site in magic wand ratings, is going to become an unreliable source of information regarding wands thanks to this pollution, yet the search engines are going to continue to lead me there anyway.

Analytics lets the sellers discover the highest going prices to sell their merchandise at. This results in the highest possible prices for me, the consumer. So I get a high-priced crappy wand as a result of analytics.

As a consumer, analytics ultimately do not benefit me. They corrupt the web and cost me money and quality. Thanks, but I'll opt out.

Re:Yes, there is a simple fix

[colinrichardday]

Nevermind

Re:Yes, there is a simple fix

[diamondmagic]

Modifying the behavior for "cross-domain" requests doesn't fix a thing. What if I open up a malicious link from my mail client?

https://bank.example.com/transfer?to=mallory&amount=100

Your idea of a "fix" doesn't fix anything, it ignores the Web security model and naively assumes that there's some hard distinction between "The user wanted to perform this action" and "some non-user performed this action acting as the user" when, to the user-agent and end server, there's really no distinction.

On the Web, only user-agents make requests. If they're doing this because a human requested it or because a program or robot made the request is immaterial. Requests should must be secure under all these conditions.

Re:Yes, there is a simple fix

[Firetoad]

scroll content in interesting ways

What ways are there except for uppy-downy and lefty-righty? ;)

Wibbly-wobbly?

Re:Yes, there is a simple fix

As a consumer, analytics ultimately do not benefit me. They corrupt the web and cost me money and quality.

That is incorrect, they potentially could corrupt the web and cost you money and quality but the fact that you had to refer to "magic wands" for your example illustrates that you do not even have one real world example of this happening, much less be in any position to propose that it is in any way even close to the norm.

But the well-known rule is that if someone's giving you something for free, you are the product, not the consumer.

You are more than welcome to start using (or even create your own) paid services that cost you money per-search or per-post or whatever. The fact is most people who claim to despise ads and analytics are those who most crave the content supported by such systems (else they wouldnt be complaining about it), now if you were the sort of person who avoided that content on principle then you would have some credibility.

Re:Yes, there is a simple fix

As an aside: Tthis is why full disclosure is so damn important. The sooner the public is told, the sooner they can take action.

Oh come on youve got people (even a load of people on this site) that can barely manage without a "start menu" on their computers and you actually think they will have any idea whatsoever what javascript is, that it is different to java and whether or not they should be enabling/disabling it?

Re:Yes, there is a simple fix

Let's go back to gopher. I would feel much more secure. Pardon me while I return to hiding under my bed.

Re:Yes, there is a simple fix

[10101001+10101001]

Oh come on youve got people (even a load of people on this site) that can barely manage without a "start menu" on their computers and you actually think they will have any idea whatsoever what javascript is, that it is different to java and whether or not they should be enabling/disabling it?

No more than I think the average person knows much of anything about most things. But full disclosure increases the odds that the "local expert" in the field actually hears about the security vulnerability and can do something to help those who know no better. You could argue the answer is responsible disclosure to *just* the "local expert[s]", but the "local expert" could also be an expert black hat as well and really there's no way to determine who is or isn't a "local expert" even with some sort of licensing board. Trying to limit the information to just the people who can fix the problem doesn't work because (a) Firefox is open source, (b) too many parties/vendors are involved and may well drag their feet on a fix for years, (c) it doesn't sound like there's necessarily any inherent way to fix the problem, and (d) companies like MS seem on the take of three letter agencies and we have recent history that demonstrates we can't trust those. Finally, your glib remark about 'can barely manage without a "start menu"' rather misses the point of exactly why people here complain about the removal of a functional feature purely for marketing reasons (that is, to try to artificially inflate demand on Metro, which is, btw, the reason the Windows 8.1 "start menu" fix is bogus), which rather undercuts your comment precisely because it comes across as an ad hominem.

I mean, your whole argue sort of devolves into "people are idiots so don't tell them stuff". That's an obviously bogus argument because if such is true, it's irrelevant if you tell people or not--said people who are too stupid to use the information to their own defense are just as probable to be too stupid to use the information as an offense. Hence, there would be no real argument against full disclosure except as a pure personal preference. Meanwhile, I recognize that enough people aren't idiots--they're just specialized in different fields--and full disclosure is the best method of ensuring as many specialists in a field as possible learn of something as soon as possible and are able to disseminate their own help to people that rely upon them.

Having said that, the anti-specialists may try to take advantage in the interim and there's no magic cure for that once the genie is out of the bottle. After all, if three letter government agencies didn't have an official channel into MS or Firefox or whatever, do you think it likely they could keep out a mole? And what of all sorts of other governments or organizations? There may be some luck in that, but too few organizations are structured to reasonable resist those sorts of threats, so it makes more sense, IMNSHO, to minimize the delay on making such threats no longer a secret. Now, how long and for what degree of threat should encourage what sort of delay, I recognize room for debate. But, that's a matter of degree, not of kind. :)

Re:Yes, there is a simple fix

[jarle.aase]

I agree.

If enough users disable javascript, sites will be forced to provide a content generating back-end alternative. Js is becoming the new Flash. Opening wide up for vulnerabilities, and draining your laptops battery.

Re:Yes, there is a simple fix

[denmarkw00t]

It's not just security to worry about - although that isn't really a big concern as most CDNs hopefully never fall to exploits themselves...

Working in a "content agency," we've used CDN hosted JS before. Not shabby, but I prefer to keep it on our servers. It doesn't really save you on point B - if you're hosting the page, host the damn JS. The caching is nice, but your JS should be small anyway...hopefully. We ran into an issue with jQuery Mobile over CDN - we were pointing to the latest stable, but surely enough something changed one day and it was enough to throw the page into a sputtering mess...not worth it.

Re: Yes, there is a simple fix

Just run ad block, disable 3rd party cookies and look into blocking requests to 3rd party sites. The first two cut the junk down considerably. The last is for a full escape.

Re:Yes, there is a simple fix

[allypally]

Slightly simpler fix: disable all unsigned Javascript.

Javascript should come with guarantees that it does not contain malicious code, an auditable path back to who wrote it, and industry-backed insurance against it damaging the machines it runs on.

That way, many more of us will be happier to let this (currently) malware vector run on our machines.

Of course that would require a little bit of infrastructure to enable. But the main beneficiaries -- the advertizers -- have known they have been edging toward the Jayacalypse for a long time. They should have had a "Secure JS" mode up and running years ago.

Re:Yes, there is a simple fix

[DrSkwid]

You obviously weren't doing it right.

NoScript for Firefox and equivalent for Chrome have a site-by-site whitelist. One only enables JS as required.

I have also found it instructional as to the amount of third party access sites are willing to sell. Particularly keen seem to be online newspapers. e.g. WashingtonTimes.com has Javascript served up from 15 domains.

Combine that with other add-ons like Ghostery and Self-Destructing-Cookies and you will be unpleasantly surprised at the unnecessary crap that's thrown at your browser for the benefit of the sites you visit.

Re:Yes, there is a simple fix

[Vaphell]

about:config > javascript.enabled

Re: Yes, there is a simple fix

Well that's your own fault. Bleeding edge is OK for development but freeze your production environment to a specific version.

Re:Yes, there is a simple fix

[coofercat]

So how do you deal with sites that use a CDN domain? As I understand performance 'best practice', you should deliberately host your static assets on a secondary domain so that it doesn't ever get sent cookies. You mention vimeo.com and vimeocdn.com, but many CDN domains aren't quite so obviously named - even here on /. we seem to have slashdot.org and a.fsdn.com and www.gstatic.com (not sure if gstatic is serving any JS, but you get the idea).

FWIW, I use Adblock + Ghostery to avoid most of the cross-domain crap that you really don't want. However, the whitelists for noscript are proving more challenging.

Re:Yes, there is a simple fix

[plover]

Like you, I'm running Adblock Plus, Ghostery, and NoScript, and I'm manually whitelisting them in NoScript. It's definitely not a process that is ready for the general public. And like you I find that some sites are indeed difficult to unwind to discover what should really be enabled to restore functionality, and what is not valuable to me.

When I need something from a site, I usually walk the list of NoScript "forbids", enabling them one at a time until it works. I start with any that might appear to be an obvious CDN. I then enable the others, ignoring the known analytics providers until last. Sometimes I have to permit them in Ghostery, too.

Fortunately, the number of sites with their own complex CDN is low. For the shared CDN providers, once you've solved the disqus puzzle on one site, the cure fixes all other sites that use it. So it's not a big deal either. I think I have about a hundred CDNs in my whitelist now, and encountering and unwinding a new one is not even a weekly occurrence any more.

Re:Yes, there is a simple fix

[kesuki]

imagine that anything you can do with multiple windows can be done inside a browser like this http://imgbin.org/index.php?page=image&id=14689 that is what i meant by interesting layouts inside a browser that had a smaller footprint than netscape...

Re:Yes, there is a simple fix

[kesuki]

i remembered the name today http://en.wikipedia.org/wiki/Global_Network_Navigator
it was ahead of it's time which was why aol killed it off.

Re:Yes, there is a simple fix

"[I]f someone's giving you something for free, you are the product, not the consumer. So they're selling you out the back end."
Not true in all cases. Linux is free. g++ is free. MySQL is free. Blender is free. PHP is free. BSD can be free.

  "people who search for 'XYZZY' are buying magic wands for an average of 30 gold pieces each. The higher they are on the search results, the closer they are to the average price. There are 10,000 queries for XYZZY from the US each day, and 500 of those result in sales. If you pay for an XYZZY adword, you'll see about 2,500 of those people. Half the people who searched for XYZZY went to MagicWandRatings.com before buying magic wands, and of those their readers chose PLUGH brand magic rods over XYZZY magic wands 10 to 1. Cart abandonment of 40 G.P. magic wands is at 80%, while card abandonment of 38 G.P. magic wands is at 70%."

Great narrative. Google, at the vary least, doesn't give this information to users of Google Analytics. You can't see in Google analytics (even the paid version) the average dollar amount, or any competitors dollar amount, for a given product or search. In theory they could, but I imagine the SEC and/or FTC would be on them for price fixing in no time.

"Analytics lets the sellers discover the highest going prices to sell their merchandise at. This results in the highest possible prices for me, the consumer. So I get a high-priced crappy wand as a result of analytics."

Or just as likely lower price. Think about the effect of all the department stores "we'll beat the competitors price" promise. There are likely many products that are priced over the optimum price; that is where the company would make more sales and thus more money by lowering the margin on that item. If analytics were being used the way you claim, and I'm sure some product is/does (just not Google's) then it would be equally likely to drive the price of wands down.

Re:Yes, there is a simple fix

[wonkey_monkey]

TImey-wimey would be interesting. Hook it in to archive.org and you have the world's 3D web browser!

Re:Yes, there is a simple fix

[wonkey_monkey]

Well, each to their own, but I really can't see it being a boon to usability (I saw your screenshot in your other reply and thought "yikes"), and I think if it really had such wide possibility of appeal and merit it would have been reinvented by now.

Or perhaps it has - have you tried Tile Tabs?

Re:Yes, there is a simple fix

[kesuki]

sweet i am trying it out now. whee

Re:Yes, there is a simple fix

*shriek*, enherited code flashback! :.p

Re:Yes, there is a simple fix

[cas2000]

use a separate browser (preferably on a separate machine or VM, or at least a separate login account) with js enabled for your banking.

Unfortunately, JavaScript has become a necessity for the Web.

not quite a necessity, but many sites are over-using jquery and other javascript toolkits (even for basic stuff like links that can and should be done a a href tags) and the web is *far* worse for it. it makes the web slow, frequently causes 100% CPU utilisation (which is no easy task on a modern 4 or 6 core machine), and breaks basic functionality like the Back button.

in fact, all this javascript excressence and the very meme of "web apps" is fucking up the web and turning it into heap of shit...and none of the javascript bling is essential, very little of it adds *any value* at all to a web site. it's only done for two purposes, either or both of:

1. because fuckwit designers think it looks pretty
2. because arsehole marketers want to spy on everyone.

I can't think of any website that actually worked without it.

many sites work perfectly well with javascript disabled. the site you're on now (slashdot) for example.

Re:Yes, there is a simple fix

[cas2000]

it's worse than that - if a site uses a CDN to host javascript (e.g. common stuff like jquery) then the user has to allow javascript from that CDN.

That's not just the jquery or whatever they need to view one particular site, it's every other script hosted on that CDN by any other site they happen to visit or stumble upon.

The end result if you do this is almost identical to just enabling javascript everywhere.

it also puts the CDN operators in a privileged position of being able to spy on users across a huge and broad range of web sites.

They will spy on you for their own commercial (typically marketing and profiling) reasons, but whatever data they gather becomes a "business record" and subject to warrantless interception by american spook agencies.

This is why, for example, i disable gravatar, refuse to use forums based on disqus, and block javascript from googleapis (and many other CDNs). If I happen to need to use a site that uses js from a CDN like this, then I temporarily use a separate browser just for that session (and delete all cache, cookies, html5 storage etc afterwards).

No easy fix

like disabling javascript?

Re:No easy fix

[Mitchell314]

Or just port the browser over to Java. Then the attack can't tell between a slow link, or the obnoxious garbage collector kicking in. :P

Re:No easy fix

[Tony+Isaac]

Have you actually tried this? Are there any sites left that don't rely on javascript?

You might as well just disable your browser.

Re:No easy fix

[0111+1110]

Do you mostly surf porn sites? I find that something like 80% of web sites I browse display just fine without javascript. And the remaining 20% can often be substituted with equally good sites that do display without javascript.

No simple Fix? Turn off JavaScript.

Seems like turning off javascript should be a simple fix to a javascript based attack.

Self-referential story?

[Tim+Ward]

My browser won't let me open the target web site because it thinks it's nasty!

Re:Self-referential story?

[Smivs]

Ha, yes I got that as well :) You using Opera?

that sucks

that sucks

No JavaScript == No Web.

You could try enabling it on your bank's website.

Which I did.

The trouble is, very few websites work without it.

In other words, I was whitelisting every website that I visited.

Javascript is used so much, I never came across a website that would function without it.

No JavaScript == No Web.

Re:No JavaScript == No Web.

This is just not true. Most of the sites I visit work fine with JS off (NoScript). Any site using Unobtrusive JavaScript will work fine. I use SSBs for the ones that require credentials and require JS. In other cases, I just don't use the site.

Second, add RequestPolicy. Then you can enable JS per-site but be free from all of the cross-domain attacks*. It also requires that you build up a whitelist, but makes you MUCH safer online.

*won't help with stored XSS, but not much will without major changes.

Re:No JavaScript == No Web.

[MightyYar]

Yup - I used to be a religious user of NoScript, but gave up when I started allowing JavaScript to use even, uh, less than trustworthy sites.

Re:No JavaScript == No Web.

[Joce640k]

Which I did.

The trouble is, very few websites work without it.

In other words, I was whitelisting every website that I visited.

Javascript is used so much, I never came across a website that would function without it.

No JavaScript == No Web.

There's a reason you're posting AC...?

a) Your story sounds unlikely
b) If you think your security is worth less than a mouse click then you'll get the browsing experience you deserve.

Re:No JavaScript == No Web.

You read religious sites?

Research has proved that porn sites have a better than average score on trustworthiness. Porn sites don't want to be known to be an attack vector for viruses, etc. That is because porn sites' primary business is their website and they don't want to mess with that.

On the other side of the scale are religious sites who just don't do any kind of due diligence on what kind of advertisements they show and if they contain viruses, and also don't really care. Because religion's primary business is done through multiple channels of which the web is just a small one.

Re:No JavaScript == No Web.

Slashdot works without Javascript.

Javascript DL from the sites you visit regularly is one thing. Javascript from sites you don't visit regularly is another.

Blocking all javascript by default is a Good Thing.

Re:No JavaScript == No Web.

[interval1066]

I started allowing JavaScript to use even, uh, less than trustworthy sites.

Well, that's on you. I use it too to good effect. I have a few web sites I trust more than most, but I still disallow popups, scripts from 2nd level sites, and it appears to prevent cross site scripting effectively enough. Not using it... what's your point?

Re:No JavaScript == No Web.

I think people mistake NoScript as being a "disable Javascript" button. It's not. It's a control on what parts of the modern web you want to allow. It's not for everyone.

Saying "no javascript == no web" is also a myth. If you're like me and consider social media stuff to be a nuisance as you browse the casual web, then NoScript is a panacea. After two weeks, I had 99% of my web properly working with a very conservative set of filters. Moreover, I only have to "temporarily allow" the top-level domain of 99% of the remaining sites, and those only crop up a few times in a day for me, at most.

In fact, it's only lazy sites that don't show their content WITHOUT Javascript that are a problem, and I've reached the point where I'll just shut the site down if it's that crappy. And you know what? That policy has made my web browsing experience better, not worse. I don't have as many hangs, pauses, hiccups, stutters or random BS happening as I browse.

In short, NoScript is fine if you aren't so badly dependent on the "modern web" that it runs your daily life, rather than it being part of your daily life.

Re:No JavaScript == No Web.

[The+Cat]

Don't pull a muscle trying to bash religion too hard there, Clem.

Re:No JavaScript == No Web.

Research has proved that porn sites have a better than average score on trustworthiness. Porn sites don't want to be known to be an attack vector for viruses, etc. That is because porn sites' primary business is their website and they don't want to mess with that.

Legitimate porn sites, sure. The problem is all the "free" fly-by-night porn sites out there that just agglomerate porn they don't own, in order to draw users in to be compromised by malware. The porn is the bait, because users' Personally Identifiable Information is the profitable commodity.

In other words, "It's a trap!!"

Re:No JavaScript == No Web.

set up at least two profiles with firefox, one for serious stuff like banking, and one for non serious stuff like reading slashdot and pr0n.

Re:No JavaScript == No Web.

[Decker-Mage]

Actually, I use separate browsers entirely. Kinda hard to detect something that's happened in an entirely different program. [Usually]

Re:No JavaScript == No Web.

[MightyYar]

My point is that when even untrusted sites are whitelisted, I wasn't really protecting myself anymore, just being anal. I'm sure I was slightly safer that way, but it was no longer worth the effort to me. Clearly you value your time and effort differently than I do mine in relation to the amount of protection you are afforded.

You mean the internet is full of danger?

[Bob_Who]

I thought it would be secure like my telecom....

Sanitary like the stadium men's room.

And trustworthy like my bank and credit score.

Now I am very upset that I'll just have to wear clothing in public, once again. There goes the neighborhood.

Mitigation strategies

[Natales]

TFA is correct that there isn't anything to patch per se. However, it's possible to mitigate the effects of this by using multiple completely isolated browser sessions for different purposes. Your banking VM should always be used for banking, nothing else. Clear cookies and browser history at the end of the session. All that while other VMs should be used for their own specific purposes with their own security configuration.

This is very well implemented in Qubes OS but can also be implemented via regular VMs. The guys at Bromium have also an interesting approach to this issue via microvirtualization using hardware.

Net/net, the important thing is to make sure that whatever the attacker can get, it's irrelevant in the big picture of things.

Re:Mitigation strategies

[omz13]

That's all very well and good, but do you think the average web surfer even knows what you're talking about? Any solution needs to be baked into the bog-standard browsers instead of asking users to do VM magic.

Re:Mitigation strategies

Or use Sandboxie!

Re:Mitigation strategies

[Reziac]

True (tho I was interested to learn of these products) ... so how does one go about that, design-wise? run each part of the browser in its own VM, so it can't see the rest without user intervention?

Re:No simple Fix? Turn off JavaScript.

[Horshu]

That's akin to turning off Flash to get rid of ads. Sounds like a good - no, great - idea, until you run into the problem of so many sites depending on it. Better fix would be for the browsers to allow disabling JS on a per-site basis, or better yet, allowing disabling of individual JS APIs (yeah, it could turn site behavior into a clusterf$%k, but I would give up red meat to be able to disable window.open())

Firefox

Then again, Mozilla wants to get rid of the option to turn off javascript.

Re:Firefox

A Firefox extension will only be made to disable it, if it cannot be natively disabled. There are already ones that disable it on a per-site basis like NoScript.

Simple fix: strip iframes

Javascript seems like it would be the easier fix (I use three browser for different tasks one of which is everyday browsing and it has javascript turned off.) but javascript is necessary for pretty much everybody. Think GMail and Google Maps. Sure Google could support Thunderbird and have native map clients for everybody but that would require a lot of work( arguably less since javascript is so nasty, but they have kludged around that for the most part already...) So the simpler answer is a no frames/iframes checkbox in Firefox. Or think of it another way how many fewer adds would we have?

Re:Simple fix: strip iframes

[minstrelmike]

That's what I was wondering--no iframes.
And for the folks who hate javascript for whatever reason, apparently they think they can substitute an UNBREAKABLE software for it.
Clue for the clueless--software is only unbreakable when it remains unpopular.

Re:Simple fix: strip iframes

[The+MAZZTer]

I think you underestimate just how many sites rely on frames. Gmail uses them for some functionality for one, though I dunno how critical it is.

Re:Simple fix: strip iframes

[pmontra]

iframes are the only safe way to inject css and js into a third party page with no fears of conflicts with local code. Think of widgets, Facebook social widgets were using iframes last time I checked.

Re:Simple fix: strip iframes

It is also the only mechanism via which payment 3D auth checked are performed like VerifiedByVisa and SecureCode.

Since the point of these systems is that Visa and MasterCard get direct communication in realtime to the card holders web browser synchronously with payment.

What HTML5 needs is a way to encapsulate CSS and JS from any DOM element, allowing inheritance or not.

What CDN usage of common JS needs is the ability of the consuming website to dictate md5/sha1/hash-checksum of the expected contents of the data at the target CDN link. This lends itself to allowing that JS hash-checksum from any source to be found in the local browser cache. One problem with using any CDN for free is security. What also should be an option on the HTML5 or tag is the ability to deny that CDN any other information about the request, such as Referrer/persistent-Cookie storage, etc... You think googles CDN is doing you a favour? No you are helping them collect information about web usage via Referrer headers.

What payment systems need is a mechanism to allow request for payment to be taken during normal checkout process, but require the card holder to login with the card issuers banking portal to settle or cancel an individual transaction, as a 2nd action. This concept can then be extended to allow other mechanisms to facilitate settlement/rejecton decision, such as mobile devices, one time pinpad, using the card with a special card reading machine, using the card directly with a mobile phone.

The sky is falling!!

>Firefox has fixed the pixel-reading issue

So one of the more worrisome ones was fixed already? Ok. I don't think the view-source one will be any trouble either.

>Essentially, the browser draws the link as un-visited and then makes a database query to see whether the user has visited the link. If so, it then redraws the link as visited.

And this is the less worrisome one? Come on. What's impossible about fixing this? Doesn't Mozilla already not bother repainting the links as visited until the user hovers their mouse over them? What's so hard about fixing this?

Re:No simple Fix? Turn off JavaScript.

Well, since you are probably using an open source browser, you can disable window.open(). You'll have to give up some time (or money) though, but at least you can still have red meat :)

The fix for about any timing attack

[Opportunist]

Fuck with the timing.

Huh? What do you mean, "that would require today's programmers to at least know OF Assembler"...

Re:The fix for about any timing attack

[VortexCortex]

Fuck with the timing.

Huh? What do you mean, "that would require today's programmers to at least know OF Assembler"...

But... How would learning ASM.js help?

Just render the link twice always...

"There's no simple fix"? For the timing attack, the browser just has to ensure that the timing is the same in either case. Just redraw always. That might have efficiency issues, but it's certainly simple.

That said, using NoScript and keeping javascript turned off as much as possible (like I do on this site and every site I haven't explicitly whitelisted) helps a great deal. This kind of stuff is most commonly done by advertising and "web analytics" sites, not top-level sites.

Link history plus screenshots of iframe content

[Tetravus]

So the guy figured out that browsers render all links on a page and then reflow any that should by styled to indicate they have already been visited. Apparently you can figure out which links have been reflowed by checking the number of frames that have to be rendered to display a link. Not a big deal, and if your site uses the same style for links that are already visited, not an actual attack vector.

The second attack, using SVG (or, I assume) canvas to create a screenshot of what's visible to the end user could be leveraged for an actual attack, you know, if everyone didn't put iframe busting code on their pages served over SSL. Vendors can update the SVG rendering system to adhere to the same cross domain restrictions as other components and not include pixels from iframes in the buffer that is available to inspect via JS and this hole will be closed.

Not too much to worry about here, but I'm surprised that SVG doesn't already do this (canvas won't allow JS to work with cross-domain images unless they have been served with a header that marks them as "safe" according to their originating service).

Re:Link history plus screenshots of iframe content

Is that literally all it was?
Haha oh wow, that crap is trivial to fix.

The history thing has been known forever under another method. I assume history will now be taken out of the DOM state changes entirely and only same-domain history will be capable of being styled. It should have been like that in the first place anyway!

And Screenshot abuse has been looked in to before.
Hell, it wouldn't matter since you can re-render an entire DOM simply by dumping the entire thing in to binary, encoding it to an image and transmitting it wherever in as little space as possible. On a JS-heavy page, a user would probably never notice.
The whole DOMs state is there for the taking, a screenshot feature will just make it simpler, but not impossible, to code.

Re:Link history plus screenshots of iframe content

[Gavagai80]

Only styling visiting links on the same domain would be breaking the feature. The point is to be able to read a page of links and see quickly which of the linked websites you've already been to (if you're working your way through a list or the like). That said, I don't this "exploit" should be fixed since all it can do it find out which of a small set of the most popular websites someone has been to... what can someone do with that, serve better targeted ads?

Re:Link history plus screenshots of iframe content

[Impy+the+Impiuos+Imp]

Is he saying he can do all this by serving up, from, say, his server and web page, Javascript code that will figure out all this other stuff you do visiting other sites on the same session?

If so, I suppose they could encapsulate each web domain so it can't interrogate the Java engine as a whole, i.e. yet another layer of virtual machine.

Re:Link history plus screenshots of iframe content

[dk400]

AFAIK, reading visited links by a user is pretty much worthless. it is not an attack per-se. It is like my neighbor sees me throwing out an used empty milkcan every week, and realizes I am gulping a milkcan every week. what do you with that ephemeral information? there are sites that I visit everyday for just few minutes and then there are sites that I spend more than 1 hour on a particular day and never return to them in more than a week or two !

Re:Link history plus screenshots of iframe content

[93+Escort+Wagon]

Yes, at least as the linked story explains these vulnerabilities - he'd have to lure you to a page or else have code running on your computer to effect these attacks.

Also, "reading any information he wants" seems to actually be "see which linked websites youve previously visited on this page I control" and "see the contents of iframes if I have a way to run some other code on your computer or have physical access to it".

These could turn into serious vulnerabilities - but the summary contains significant hyperbole.

Re:Link history plus screenshots of iframe content

That is only 1/2 of it. He uses that bit to know that you went to FB.

Next he uses iframes and JavaScript again, to load (hidden from your view), an iframe with facebook in it, and screen scrapes using canvas or SVG magic the content of pages from facebook. If you didn't log out when you left (or your logged in, in another window) he can get information like your friends list or contact information. He claims in the paper he did this for getting contact information from Google+. Now he knows where your milk lives and who you just had milk with.

Imagine he uses this on your bank's website after you went to check the balance or pay your mortgage. Now he knows hhttp://it.slashdot.org/story/13/08/04/1257249/new-javascript-based-timing-attack-steals-all-browser-source-data?utm_source=rss1.0mainlinkanon&utm_medium=feed#ow much you spent on milk, (and your account information).

css change?

[minstrelmike]

What if I just change the css so visited and unvisited links are identical?
Would js then redraw anything at all?

Re:css change?

[Noishe]

yeap. the issue is the browser code, which essentially boils down to:
---
draw link with normal style
lookup link in visited database
if link exists in database
    then draw link with visited style
---
The problem is that visited links get drawn twice, while non-visted links get drawn once. It doesn't matter if the links are styled the same or not, as the browser will still go through the motions, and take additional time in the visited case.

The browser doesn't care if the styles are both the same or not. If it did care, then it would have to do an additional comparison on every style that will change how the link is drawn, which would just be too slow.

Re:css change?

If you do that you are following current web design trends!

Re:css change?

[JDG1980]

yeap. the issue is the browser code, which essentially boils down to:

• draw link with normal style
• lookup link in visited database
• if link exists in database
• then draw link with visited style

Wouldn't the obvious solution be to change the order to lookup the link first, and if the link exists in the visited database, then draw it with visited style, else draw it with unvisited style? That shouldn't be any slower (since the DB has to be checked anyway) and it would eliminate the timing attacks discussed here.

Re:css change?

[VortexCortex]

Yes. When they say that there's "no easy way to fix" something, they mean it would require that one of the coders writing web browsers not be fucking idiots. However, history has proved this impossible.

Re:css change?

[mstefanro]

They are merely saying that there is no general fix against iframe timing attacks. You can fix individual attacks (such as the
visited links one). However, it is likely that ingenious hackers with plenty of time on their hands will find other rendering operations which reveal information when timed. The coders cannot simply add random sleep()s too all conceivable operations that it performs, the browsers nowadays are slow enough as it is.

Re:css change?

Well, you could always virtualize the timer.. who cares if some stupid script doesn't know the exact time at nanosecond resolution?

CSP

Sites have Content Security Policy HTTP headers they can set to prevent being put into an iFrame.

harsh reality of bad technology

Yep, just like "word".
Just everybody uses "word" and only "word".
HorsePucky!
Like I told the vendors putting crap Flash and crap JavaScript on their www sites; you put crap which prevents me and the purchasing agent from buying your stuff with ease then I will go to another product and include a note in the specifications NOT to buy anything from you because your knowedge and use of technology SUCKS!
Find an alternative - do not 'buy' from asshats!
And while you are at it - stop voting for anbody who continues to allow the monies stolen from you using the crapitalist "tax code" to buy proprietary software.

Re:No simple Fix? Turn off JavaScript.

[maxwell+demon]

That's akin to turning off Flash to get rid of ads. Sounds like a good - no, great - idea, until you run into the problem of so many sites depending on it.

Not very many sites depend on Flash. Mainly video and online game sites. And there's always the option to whitelist.

Not too bad if developers do things right

[TomGreenhaw]

If you do things in a secure manner (e.g. OWASP top 10) this should not be a big deal. Turning off JavaScript IMHO is awfully extreme and few would do it anyway. Obviously iFrames should be used judiciously because it opens you to a potential for cross site scripting and other undesirable things on your site. Awareness that linking to public libraries is intentional cross site scripting is critical too. Pre-populating content and controls from user supplied text must be filtered, and fields like passwords, credit card numbers and sensitive personal information should never be pre-populated. Thinking that your site visit history is private even without this attack is grossly delusional as there are already many ways this is already tracked, e.g. ad retargeting and Chrome not in incognito mode.

Re:Not too bad if developers do things right

You missed the point. This isn't about iframes on your site being exploited.This is you go to a malicious site after going to your bank site.

The malicious site then links to all known bank sites in an iframe, and watches how many "frames" it takes to draw the links. If a linked page takes longer to load, then it means the browser is redrawing the link, and the site has been visited in recent history. That isn't the end of it though. A second attack is then used against that site (which he knows you were at in the recent past), opening it in another iframe and capturing the rendered content of that iframe and sending it back to the malicious site.

So it can see the logged in information on the bank page you visited a moment ago, because you Average Joe didn't log out.

It's simple, we kill the Batman

[jfdavis668]

I'll solve this for half.

This is great news!

[StripedCow]

The attack works on all of the major browsers and researchers say there's no simple fix to prevent it.

This may mean that the web will finally be properly redesigned from scratch, using modern insights!
It's about time!

I, for one, am looking forward to running webpages in near-native-speed virtual-machine sandboxes!

Re:This is great news!

> This may mean that the web will finally be properly redesigned from scratch, using modern insights!
> It's about time!

> I, for one, am looking forward to running webpages in near-native-speed virtual-machine sandboxes!

Yeah, and all corporate encryption and NSA backdooring you can handle, right?

Most likely, whatever follows will rely on security thru obscurity more than being open to all. It won't *actually* be more secure, but it will have more theater surrounding it, so it will *sound* better.

Re:This is great news!

No, the proper solution is to say 'javascript may not be served by pages, it may only be served by the browser a la Greasemonkey.' You want your site to have a 'Like this!' button? Well then you put a '<div class="like-this" />' on the page and hope the user has deigned to have a 'like-this.js' applied to all pages that reads such div elements. The web worked just fine before drop-down menus, it can work just fine without javascript. The end result will be a semi-standard javascript library that many browsers provide, and a requirement that web developers get their heads out of their asses and design pages to communicate information, not st[r]oke their own egos.

(Plus, we'll see miniscule speed improvements because all js will be effectively cached. Nothing like, say, the speed improvements of reducing image sizes by 0.01%, but still there.)

A JavaScript Fix

First, in the JavaScript for a page, set the window.name property. Then you can use the anchor tag a little bit differently from normal. In my experiments I have never seen this kind of link get colored anything other than the specified blue; therefore it must be failing the browser's find-it-in-database-of-visited-pages test.

Here is the code without the first and last angle-brackets:

a id="SLASHD" onclick="window.open('.http://slashdot.org','CurrentWindowPageName');" style="color:#0000ff;text-decoration:underline;cursor:pointer;">Slashdot Home Page
And here is what the link looks like with the first and last angle-brackets:

Slashdot Home Page

This particular code is probably not workable on a Slashdot page because "CurrentWindowPageName" is not the correct name.

Slashdot Uses JavaScript

[DERoss]

The Slashdot Web site makes extensive use of JavaScript. If the article is accurate, does that mean Slashdot will abandon such use?

safety is an illusion anyway

[Connie_Lingus]

you know...the locks that (supposedly) protect you and your loved ones and valuables can be easily picked by people with just a tad bit of training and practice...

terrorists will strike again and kill lots of people but the odds are beyond tiny it will be you or anyone you know...

the internet is loaded with potential threats and *maybe* someone will actually build a real site that does everything the article says it can...

i guess im just sick of kneejerk "omfg something is possible so lets all freak out and throw away our freedoms and turn off our browsers and blah blah blah". we live in a world where yes, you just might die in your bed when a giant sinkhole opens up underneath you, and you know what?? that's ok...whats better that we build a giant police state that gives the illusion of security?

oh yeah...the u.s. IS doing that...never mind.

Re:safety is an illusion anyway

Umm there is a subtle difference between "locks" and malicious code.

Once code gets into the open, anyone (think not just experts, but also script-kiddies) can employ it on a large scale, using botnets. Such code may immediately threaten all of us.

Re:safety is an illusion anyway

This isn't about safety, it's about security.

Locks aren't 100% effective, that doesn't make it a good idea to not have one and sleep with your front door left open.

[The analogy doesn't even make sense anyway; software can be mathematically perfect, hardware and physical things cannot]

discussed three years ago

[Joining+Yet+Again]

This sort of timing attack was discussed three years ago on the Mozilla blog.

Could someone elaborate on exactly what hasn't been fixed for the Mozilla-based browsers? Dunno about the rest.

because they aren't reading security news, or oops

[raymorris]

It's a bad idea, and anyone who studies web security knows that. That includes about 1% of web designers and developers. It seems that there are a lot of people building web sites who know all about color wheels, and don't know what CSRF stands for.

I'm the opposite - I don't know what mauve is, while I have exploited browser vulnerabilties. I've also made errors before, probably much more significant errors than what you referred to.

Is Flash for anything but ads and games?

[raymorris]

Now that 99% of video is on YouTube and therefore accessible via html5, is Flash actually used by any significant site for anything but games and ads? I guess a few porn sites use it for video?

For about three years I haven't had Flash installed in my main browser and I haven't missed it. Maybe twice a year I open my other browser to see one of the above.

Re:Is Flash for anything but ads and games?

[Horshu]

Unfortunately, I still run into sites that use it for something (including, believe it or not, navigation). I go for periods where I have it disabled, but eventually I want to read a site that requires it and wind up turning it back on. And JavaScript is much, much more pervasive (for example AJAX), making it nearly impossible to turn off.

Re:Is Flash for anything but ads and games?

Hulu.

Re:No simple Fix? Turn off JavaScript.

[0123456]

That's akin to turning off Flash to get rid of ads. Sounds like a good - no, great - idea, until you run into the problem of so many sites depending on it.

I uninstalled Flash a while ago. Other than youtube, I run into maybe one site a month that won't work without Flash, and they're clearly run by retards so I'm better off not going there.

Ok

[The+Cat]

Javascript could very well be the worst thing that has ever happened to computers.

Re:Ok

Yeah, forget ActiveX. Forget Flash. Forget viruses and malware. It's gotta be Javascript. Because you know, that's the hip thing to hate right now.

JS is a well-known security disaster

Security researchers have been warning that client-side browser JS is an utter security disaster for many many years now, to little effect. Security-oblivious webbies are so overwhelmingly fascinated by their ability to control what remote users's browsers do that they just don't care about the security fallout and find all kinds of cute reasons to retain the status quo, and of course organized crime just loves every minute of it.

This latest revelation is just another nail in client-side JS's coffin for anyone who is remotely security-conscious. The clueless and the willfully deaf will continue to use it though, it's inevitable, as JS use is increasing not decreasing. Organized crime will continue to reap the rewards. It's awesome if you're evil.

Re:JS is a well-known security disaster

Seriously, if you don't understand the real issues here, stop blaming them on the piece of tech you don't like the most. It is NOT Javascript that's the security disaster here, but rather the fact that JS is given access to a lot of data that could be used to mine information.

It wouldn't matter WHAT language they use, it could be Go or Java or Amazing Future Web Language #23. The problem is the user-facing web stack, and how poorly we understand the security risks therein.

You might as well blame Apple and Google for pushing HTML5 so quickly, before anyone could think the problems through. But you have a bone to pick with JS, apparently, so it's got to the be the witch.

Noscript + Adblock

[Sarusa]

I'll second (or fifth) the NoScript recommendation. Yes, NoScript can be a bit of a pain in the ass at times, but it sure trims down the the amount of crap that runs. JavaScript wasn't designed with security in mind, so it'll never be secure - they can only spackle over the cracks. Best you can do is minimize how much runs in the cesspit of the Internet. I also find that I only have to allow it for a few regular sites, so once you're past that there's not much maintenance. Most sites still work without it, even if you don't get all the features - for instance, /. is working fine with no javascript allowed at all.

If you don't want the hassle at least install Ghostery and turn off the GhostRank. Most sites are pulling in random JS from 6-12 other sites for tracking/ad/social purposes.

And since most browser malware is delivered by drive-by ads (often through legitimate ad networks who don't realize it), add Adblock to keep those out.

It's also a prophylactic prevention against whatever new zero-days come along since they very rarely can do anything without JS or Flash. I guess we'll see what happens with HTML5...

I'm always amazed when I see someone else go to the same sites I go to and there is SO MUCH CRAP that you can barely find the content. To me that also makes the NoScript hassle worth it.

Re:No simple Fix? Turn off JavaScript.

But a few years ago, a bunch of people had that idea, and now you don't really run into the problem of 'site X depends on Flash'. I can't remember the last time I really needed Flash, it must have been last year, and I even use video streaming sites.

Doesn't CORS address this?

I should RTFA, but it seems unnecessary... LOL. Yes?

Java script

Mine is turned off on my surfing machine.
It only prevents me from making comments on some sites I dont care.

I have another machine that sole purpose is to bank.

Re:browser frames

i remember that before there was iframes there was a cool browser that let you make as many frames from multiple sources and did it all on a 486 with 8mb of ram. sadly aol bought it and killed the tech.

Not sure what browser you're referring to, but KDE's Konqueror browser can do that and is still being developed. Also supports different html engines and can be used as a file manager, too.

For example, here's a screenshot of Konqueror showing the same page (google.com) in three different views: khtml (left), webkit (right bottom), and embedded text editor with syntax highlighting (right top).

Alternate easy fix (leaves JS running)

[Skapare]

Use a totally separate browser context for each different place you want to carry out secure, JavaScript-based, web activities. Although there are other ways (need a little coding), the simplest way to do this is just create multiple users (on your own computer), each designated for visiting the places you need security (one for each bank account, one for each retailer, one for access to work related stuff, etc). Browsers do have special features to do this kind of thing, but I have found they are not as separately isolated as I would like. I'm not so paranoid (yet) to use separate virtual machines, but others might. Three letter agencies are known to use physically separate machines.

'Simple Fix'

That's the real issue ... everyone wants a 'simple fix'. There is not sufficient patience to come up with a real fix. That goes for browser/web security as well as a number of other things that could be substituted in here (economies, gov't poliicies, etc.).

The simple answer is that a simple fix is not what we should be looking at. The real answer starts to get a lot more complicated.