New time-measuring features in HTML5 can be exploited by malicious websites to illicitly peek at pages open on a victim's browser, it is claimed. Security researchers at Context Information Security have figured out how to precisely observe the speed at which CSS and SVG graphics are drawn on screen to extract sensitive data …
Back in the frame for yet another bit of jiggery-pokery.
Why am I not surprised.
iframes = evil
Having just skimmed the whitepaper, it looks like you could just as easily do the same thing with a hidden div or any element which is positioned off screen.
All goes to show that adding more power (without thought) in the browser results in security problems.
Microsoft added the largest amount of power in IE years ago, giving the browser access to ActiveX and all manner of things. It was a nightmare from a security perspective.
This will be interesting..
after all it took almost ten years before the original CSS history hack was finally patched across all mainstream browsers.
There's an obvious problem here. Security researchers tend not to be browser developers. Browser developers tend not to be security researchers. Browser developers implement security critical software.... see what I mean?
Solving this problem is going to be difficult. Either:
- make every operation take the same amount of time
- Randomise the time taken, which will hit performance and would be vulnerable to attack anyway (how good are random number generators anyway?)
- forget the whole thing altogether
Or maybe disable JS and avoid exposing yourself to a goodly collection of known vulnerabilities, and an unknowably large slew of yet-undiscovered ones.
Just turn off js - most of the web still functions passably, and a lot quicker- and use a VM for when you really need it. Works for me.
> Just turn off js
Just try, oh I dunno... this
Plenty of sites stil work, and those that don't, well (shrug[*]). It won't get any better if people keep adapting themselves to other's bad practices where it even puts themselves at risk. Reward bad behaviour and you get more of it.
[*] and I did suggest using a VM where necessary
A VM isn't going to do squat for concealing your Internet-facing IP (the VM still has to go through the ISP), and if the Feds can trace an Onion route, tracing through another proxy will be a cakewalk to them.
> A VM isn't going to do squat for concealing your Internet-facing IP
Obviously, and I never said it would. Using a VM sandboxes dodgy JS behaviour away from your real machine, that's all. Also allows it to roll back to clean states for extra security.
> As for removing JaveScript, so much of the Internet now uses stateful interaction
And will continue to to so while people like you allow their unnecessary indulgencies.
> that doesn't involve [...] cookies
Cookies stay on my machine just long enough to do what I want, like posting here, then get nuked. And I don't have java, flash, silverlight or whatever. Cookies are fine, just kill them after.
Com on, fight back. It looks like you aren't prepared to do the smallest thing if it inconveniences you.
FFS MS used to deliberately obscure their sites unless you had JS running (even plain text!), but they've woken up now. Things *can* change.
*come on* stop being so goddamn passive.
Back in the very earliest days (beta 1.0) VMWare Workstation, the first thing I did with the beast was create a virtual machine and stuffed Windows in it. Then I took that and created a "golden master" (password protected zip). From then on, that was my tool for the web and, as you say, simply powered it down at the end of a session, no save. It's not rocket science, or maybe it is but I have no idea why. And yes, I can do nuclear engineering or even rocket science just fine, thank you.
Why aren't we doing this with ALL problematic software? Or for work/play separations? For F's sake, it's been a decade and a half. The hardware is there, even on my first-gen Nexus 7 let alone something heftier.
Re: This is 2013
Yes, and I should now have the power to decide what runs on my machine and what doesn't.
There are sites that are entirely made of Flash animations - I can still decide whether or not I want to see them. If I don't, I am aware that I will not access any site content. My choice.
It's about choice.
Re: This is 2013
"It's about choice."
The trouble with choice is that it goes BOTH ways. The provider will demand a price for entry, and if you don't like it and it's the only provider, do the letters SOL ring a bell?
As for VMs, haven't there been VM sniffers, breakout exploits, and Ring -1 malware popping up from time to time? Any of those can mean they break through the VM onto your actual machine, where they can wreak havoc from there.
Are they really claiming that it takes the browser different lengths of time to draw each letter? How odd, I would not have expected that.
If you're measuring time to the MICROsecond (as the article proposes), then differences CAN be determined.
Letters do take differing amounts of time to render in that the source of the pixel data is vector based and the time taken to process the math to rasterise the letter is unique.
Re: Letters? @ Robert Heffernan
Text is not rendered like that at all (AFAIK it's rendered that way to a buffer, once per character per typeface in use, then block copied to the visible display on demand, else it would be unbearably slow), and from my *very* quick skim of the paper, that's nothing to do with how this attack works.