Slashdot Mirror
Old School 'Sniffing' Attacks Can Still Reveal Your Browsing History (vice.com)
An anonymous reader quotes a report from Motherboard: Most modern browsers -- such as Chrome, Firefox, and Edge, and even browsers such as FuzzyFox and DeterFox (different, security-focused versions of Firefox) -- have vulnerabilities that allow hosts of malicious websites to extract hundreds to thousands of URLs in a user's web history, per new research from the University of California San Diego. What's worse, the vulnerabilities are built into the way they structure links, meaning that major structural changes will have to take place in these browsers in order to protect user privacy. The only browser that was immune to the attacks was Tor Browser, as the browser does not keep track of a user's internet history.
The vulnerabilities have to do with why, for instance, unclicked links appear blue while visited links appear violet: there's a different set of rules and style that apply to links depending on whether they've been visited or not. However, a bad actor building a web page can manipulate this faster loading time for visited links by "sniffing," or inferting your browsing history. In essence, sniffing is finding and exploiting proxies that reveal your web history. As outlined in the UC San Diego report, this sniffing could happen in a couple of ways: they could force the browser to reload multiple complex images or image transformations that differ based on whether you've visited a link or not, which would create drastic differences in the loading time for each. With this strategy, actors can test 60 sensitive URLs per second. Bad actors could exploit a "bytecode cache," which speeds up the loading time for revisiting a link that you've already visited. "By embedding a special script in a web page, the actor can test how long it takes for a web page to load and infer whether you've visited it or not," reports Motherboard. "Actors can probe 3,000 URLs per second with this method. When the vulnerability was reported to Google, the company marked the issue as "security-sensitive" but "low-priority."
The vulnerabilities have to do with why, for instance, unclicked links appear blue while visited links appear violet: there's a different set of rules and style that apply to links depending on whether they've been visited or not. However, a bad actor building a web page can manipulate this faster loading time for visited links by "sniffing," or inferting your browsing history. In essence, sniffing is finding and exploiting proxies that reveal your web history. As outlined in the UC San Diego report, this sniffing could happen in a couple of ways: they could force the browser to reload multiple complex images or image transformations that differ based on whether you've visited a link or not, which would create drastic differences in the loading time for each. With this strategy, actors can test 60 sensitive URLs per second. Bad actors could exploit a "bytecode cache," which speeds up the loading time for revisiting a link that you've already visited. "By embedding a special script in a web page, the actor can test how long it takes for a web page to load and infer whether you've visited it or not," reports Motherboard. "Actors can probe 3,000 URLs per second with this method. When the vulnerability was reported to Google, the company marked the issue as "security-sensitive" but "low-priority."
...option not work for you in Firefox? I have that option set, and it appears to work for me. I have several other Firefox security settings turned ON (e.g., "Block cookies from unvisited websites", and "block popup windows"). (And, no, I won't show you the entire phalanx of Firefox settings I'm using :-) )
I'll admit that some people see all these options as daunting...but I'll wager they have a neighbor or colleague who can set it up for them...and show them how to propagate those settings to all other instances of Firefox in their home network.
This is side-channel timing attack which is of low importance because it only allows an attack site to ask if you have been to a site or not. It cannot see your history, just if you have visited a site in the recent past. At best this could inform an attacker if you are a target of interest.
However, this could be of interest to advertisers who want to probe if you have visited their site or maybe a competitor's site. Though chances are they already know that so it's likely not worth the trouble,
Anons need not reply. Questions end with a question mark.
How about disabling browsing, download, search and form history, forcing the browser to get a fresh copy of every page even if you've previously visited, and clearing everything when you close the browser at night.
Good luck trying to find my browsing history.
NoScript perfectly protects against this, and hopefully the websites that I've whitelisted won't use these tricks to sniff out my browsing history.
Inferting may be the only mode of inquirty that can help us unprehend why the giant Alaskan king crabs scuttling around on the power lines outside my home snatch only Canadian aircraft out of the sky. My sublime but rascally sefl wants to infert your devience from your browsing history, along with your last 4 digits
Just the washing instructions on life's rich tapestry