iframes
Back in the frame for yet another bit of jiggery-pokery.
Why am I not surprised.
iframes = evil
New time-measuring features in HTML5 can be exploited by malicious websites to illicitly peek at pages open on a victim's browser, it is claimed. Security researchers at Context Information Security have figured out how to precisely observe the speed at which CSS and SVG graphics are drawn on screen to extract sensitive data …
There's an obvious problem here. Security researchers tend not to be browser developers. Browser developers tend not to be security researchers. Browser developers implement security critical software.... see what I mean?
Solving this problem is going to be difficult. Either:
Or maybe disable JS and avoid exposing yourself to a goodly collection of known vulnerabilities, and an unknowably large slew of yet-undiscovered ones.
Just turn off js - most of the web still functions passably, and a lot quicker- and use a VM for when you really need it. Works for me.
Plenty of sites stil work, and those that don't, well (shrug[*]). It won't get any better if people keep adapting themselves to other's bad practices where it even puts themselves at risk. Reward bad behaviour and you get more of it.
[*] and I did suggest using a VM where necessary
A VM isn't going to do squat for concealing your Internet-facing IP (the VM still has to go through the ISP), and if the Feds can trace an Onion route, tracing through another proxy will be a cakewalk to them.
As for removing JaveScript, so much of the Internet now uses stateful interaction. So unless you want the world to know what you're doing (because the only way to keep state that doesn't involve JavaScript and/or cookies is to encode it in the URL like in the OLD days), we're stuck with it.
> A VM isn't going to do squat for concealing your Internet-facing IP
Obviously, and I never said it would. Using a VM sandboxes dodgy JS behaviour away from your real machine, that's all. Also allows it to roll back to clean states for extra security.
> As for removing JaveScript, so much of the Internet now uses stateful interaction
And will continue to to so while people like you allow their unnecessary indulgencies.
> that doesn't involve [...] cookies
Cookies stay on my machine just long enough to do what I want, like posting here, then get nuked. And I don't have java, flash, silverlight or whatever. Cookies are fine, just kill them after.
Com on, fight back. It looks like you aren't prepared to do the smallest thing if it inconveniences you.
FFS MS used to deliberately obscure their sites unless you had JS running (even plain text!), but they've woken up now. Things *can* change.
*come on* stop being so goddamn passive.
Back in the very earliest days (beta 1.0) VMWare Workstation, the first thing I did with the beast was create a virtual machine and stuffed Windows in it. Then I took that and created a "golden master" (password protected zip). From then on, that was my tool for the web and, as you say, simply powered it down at the end of a session, no save. It's not rocket science, or maybe it is but I have no idea why. And yes, I can do nuclear engineering or even rocket science just fine, thank you.
Why aren't we doing this with ALL problematic software? Or for work/play separations? For F's sake, it's been a decade and a half. The hardware is there, even on my first-gen Nexus 7 let alone something heftier.
Yes, and I should now have the power to decide what runs on my machine and what doesn't.
I should be able to block JavaScript until I decide that I wish it to run. Telling me that there are more and more sites that use it is not an excuse. It should still be in my power to decide.
There are sites that are entirely made of Flash animations - I can still decide whether or not I want to see them. If I don't, I am aware that I will not access any site content. My choice.
It's about choice.
"It's about choice."
The trouble with choice is that it goes BOTH ways. The provider will demand a price for entry, and if you don't like it and it's the only provider, do the letters SOL ring a bell?
As for VMs, haven't there been VM sniffers, breakout exploits, and Ring -1 malware popping up from time to time? Any of those can mean they break through the VM onto your actual machine, where they can wreak havoc from there.
As for not allowing JavaScript or the like, so you never do any shopping or anything else that requires stateful interaction (a shopping cart is a stateful interaction, as in it keep track of stuff)? The only way to do that without cookies or JS is to keep the session in the URL, which if you'll recall mean it's open for hijacking.
Text is not rendered like that at all (AFAIK it's rendered that way to a buffer, once per character per typeface in use, then block copied to the visible display on demand, else it would be unbearably slow), and from my *very* quick skim of the paper, that's nothing to do with how this attack works.