Sign in / up

back to article Yahoo! crypto! queen! turns! security! code! into! evil! tracker!

Yahoo! crypto ace Yan Zhu has found twin attacks that allow websites to learn the web histories of visitors users by targeting HTTP Strict Transport Security (HSTS). The timing attack, which works regardless of cookie clearing, was demonstrated on Firefox and Chrome last Sunday at the Toorcon security conference. The attack …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Anonymous Coward
    Anonymous Coward

    Slug timing

    At first glance it seems like the browser needs to use a plausible random delay to hide those 1 millisecond HSTS responses. The values would have to look no different from those currently being served for other URLs. Better to have slower responses than provide tracking information.

    1 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Slug timing

      In the pdf she mentions that the Tor 100ms timing buckets help defeat this attack.

      1 0 Reply
    2. Michael Wojcik Silver badge
      Reply Icon

      Re: Slug timing

      Whitening is indeed a standard defense against timing-channel attacks, and this is a timing-channel attack. Basically, it's traffic analysis via the timing channel, using a mechanism to force the user agent (browser) to exercise that channel.

      It's nice work.

      I particularly like how it shows that the usual argument from the HTTPS-everywhere crowd for encrypting static content - that it conceals browsing history - is actually rather weak, because it's expensive to identify and mask all the side channels. That doesn't mean that there's no benefit under some plausible security models for encrypting static public content, just that it's not nearly as simple as the "MOAR HTTPS" cheerleaders would have it.

      0 0 Reply
  2. Your alien overlord - fear me

    OMG - is nothing sacred on the internet?

    0 0 Reply
    1. Anonymous Coward
      Reply Icon
      Big Brother

      OMG - is nothing secret on the internet?

      FTFY ;o)

      ...and the answer is no. By design.

      2 0 Reply
      1. I. Aproveofitspendingonspecificprojects
        Reply Icon

        Reply Icon

        OMG - nothing is secret on the internet?

        FTftFY ;o((

        It failed utterly with your browser

        You tried it but it gave me a huge list of places I ....whoops. Let you rephrase that.

        0 0 Reply
  3. Arthur the cat Silver badge

    It failed utterly with my browser

    I tried it and it gave me a huge list of places I haven't been, some I'd never heard of, others I'd definitely visited, and couldn't tell me a single place I'd been. Just one data point I know, and maybe my browsing habits are unusual, but obviously it's not going to work on everyone.

    FF + AdBlock Plus + NoScript.

    0 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: It failed utterly with my browser

      Didn't do well for me either:

      Please disable HTTPS Everywhere for best results.

      Sites you've probably visited:

      PS: Tell Obama to support strong encryption! Sign the petition at savecrypto.org.

      www.kickstarter.com

      kat.cr

      www.avforums.com

      madmimi.com

      www.maketecheasier.com

      www.reddit.com

      launchpad.net

      That's the complete list of sites I'm supposed to have visited. Only heard of three of them and don't think I've visited more than two. A quick scan over the sites I "haven't visited" and I spied Wikimedia and Yahoo domains which both happened to be open in other tabs during the test.

      Seems to confirm the implication HTTPS Everywhere might actually do something worthwhile! B)

      FF (Linux) + AdBlock Plus + NoScript + HTTPS Everywhere + HOSTS from someonewhocares

      2 0 Reply
    2. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: It failed utterly with my browser

      "FF + AdBlock Plus + NoScript."

      Same here, with similar results. But in my FF webdev profile (without blockers) the attack most definitely DOES work.

      My somewhat biased interpretation: this just goes to show you can't expect security from security-theatre crap like HTTPS and HSTS.

      2 0 Reply
      1. Michael Wojcik Silver badge
        Reply Icon

        Re: It failed utterly with my browser

        My somewhat biased interpretation: this just goes to show you can't expect security from security-theatre crap like HTTPS and HSTS.

        I have low expectations of HTTPS and HSTS, and I've posted here before about my dim view of HTTPS Everywhere. But this sentence simply isn't accurate. HTTPS does address a large number of threat branches under various sensible threat models, and HSTS addresses a few more. As a term of art, "security theatre" (or "theater") usually refers to purported countermeasures that don't apply substantially to any reasonable threat model.

        HTTPS may be overrated, and like any security mechanism it's not a panacea. (In many web attack contexts it's not even applicable; it doesn't make any difference at all.) But that doesn't mean it's useless.

        Security is a matter of economics: relative cost and benefit to attacker and defender under a threat model. HTTPS shifts cost from defender to attacker for a significant class of attacks under the most common threat models for web use.

        0 0 Reply
        1. Anonymous Coward
          Reply Icon
          Anonymous Coward

          Re: It failed utterly with my browser

          Slightly exaggerated, not inaccurate. Just like post-9/11 airport security, HTTPS isn't completely useless as a defense/deterrent. I just switched another site over to HTTPS yesterday. It'll make the backend slightly harder to hack, and the cost was relatively low, but the *appearance of safety* was the main driver.

          Serious web security improvements are only possible by rebuilding these sites, purging the fad crap (CMS, web 2.0, social, analytics, 3rd-party JS), not collecting user info... generally reducing the attack surface, exploit value, and complexity. HTTPS isn't part of that, it's just a band-aid.

          0 0 Reply
    3. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: It failed utterly with my browser

      Also a giant fail. The site gave only one correct site I visited (www.wikipedia.org) and several incorrect ones. It listed a zillion sites I allegedly never visited, including www.yahoo.com which I recently visited and finally got stuck after listing www.victoriassecret.com (correctly as not visited).

      FF + Mozilla Tracking Protection + Privacy Badger.

      0 0 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: It failed utterly with my browser

        Poor reliability here too.

        I got plenty of false positives, a few false negatives and a stack of true negatives.

        One of the sites it listed was letsencrypt.org, as having "not visited"… I had the tab open and had clicked a few links moments before loading the "proof of concept".

        NoScript and WebDeveloper being among the only extensions I have that are likely to impact this.

        0 0 Reply
  4. Adam 1

    Good thing they can't tell that I've been to the El Reg forums.

    9 0 Reply
  5. Stevie

    Bah!

    Well, not fer nuthin but you've been anywhere the target site makes you go.

    I had to get my work account unlocked when I was caught trying to access gun sites more than three consecutive times and the robot said no more interwebs for me.

    I actually accessed the university of Wisconsin's site once.

    0 0 Reply
  6. Mage Silver badge

    Wikipedia commons user sites?

    I think for read once and cache locally mediawiki installs using wiki commons from mother ship the HSTS is used. I got cryptic emails from Mediawiki last night about HTTPS only and need for HSTS on Wikipedia.

    0 0 Reply
  7. Anonymous Coward
    Anonymous Coward

    Nice to see a lady doing this kind of work in an area that still seems to an outsider very male dominated.

    2 0 Reply
  8. spam 1
    Facepalm

    El Reg RSS

    Hey El Reg web devs... Every time you post an article that has HTML in the title, I end up with HTML entities in my feed. So every Yahoo article ends up looking like this (spaces added to prevent HTML parsing in the comment box):

    Yahoo< i>!< /i> crypto< i>!< /i> chap< i>!< /i> turns< i>!< /i> security< i>!< /i> code< i>!< /i> into< i>!< /i> evil< i>!< /i> tracker< i>!< /i>

    Could you strip out the HTML or stop double-escaping it in the XML? Thanks.

    0 0 Reply
    1. Anonymous Coward
      Reply Icon
      Paris Hilton

      Re: El Reg RSS

      corrections@theregister.co.uk

      http://forums.theregister.co.uk/section/forums/vulture/reg_stuff/

      1 0 Reply
  9. enerider
    Devil

    Looks like RequestPolicy throws it a curve-ball as well

    Since it looked like everything that was being checked got dumped into the "sites you've probably visited" column

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like