back to article Bad timing: New HTML5 trickery lets hackers silently spy on browsers

New time-measuring features in HTML5 can be exploited by malicious websites to illicitly peek at pages open on a victim's browser, it is claimed. Security researchers at Context Information Security have figured out how to precisely observe the speed at which CSS and SVG graphics are drawn on screen to extract sensitive data …

COMMENTS

This topic is closed for new posts.
  1. Colin Millar
    Devil

    iframes

    Back in the frame for yet another bit of jiggery-pokery.

    Why am I not surprised.

    iframes = evil

    1. Anonymous Coward
      Anonymous Coward

      Re: iframes

      Having just skimmed the whitepaper, it looks like you could just as easily do the same thing with a hidden div or any element which is positioned off screen.

  2. Anonymous Coward
    Anonymous Coward

    All goes to show that adding more power (without thought) in the browser results in security problems.

    Microsoft added the largest amount of power in IE years ago, giving the browser access to ActiveX and all manner of things. It was a nightmare from a security perspective.

  3. Black Rat
    Devil

    This will be interesting..

    after all it took almost ten years before the original CSS history hack was finally patched across all mainstream browsers.

  4. bazza Silver badge

    Inevitable?

    There's an obvious problem here. Security researchers tend not to be browser developers. Browser developers tend not to be security researchers. Browser developers implement security critical software.... see what I mean?

    Solving this problem is going to be difficult. Either:

    • make every operation take the same amount of time
    • Randomise the time taken, which will hit performance and would be vulnerable to attack anyway (how good are random number generators anyway?)
    • forget the whole thing altogether
    . What's it going to be?

    1. BlueGreen

      Re: Inevitable?

      Or maybe disable JS and avoid exposing yourself to a goodly collection of known vulnerabilities, and an unknowably large slew of yet-undiscovered ones.

      Just turn off js - most of the web still functions passably, and a lot quicker- and use a VM for when you really need it. Works for me.

      1. Destroy All Monsters Silver badge
        Headmaster

        Re: Inevitable?

        > Just turn off js

        This is 2013. Turning off JavaScript is going to make VERY LARGE chunks of meaningful stuff disappear. And it's not going to get better.

        Just try, oh I dunno... this

        1. BlueGreen

          Re: Inevitable?

          Plenty of sites stil work, and those that don't, well (shrug[*]). It won't get any better if people keep adapting themselves to other's bad practices where it even puts themselves at risk. Reward bad behaviour and you get more of it.

          [*] and I did suggest using a VM where necessary

          1. Charles 9

            Re: Inevitable?

            A VM isn't going to do squat for concealing your Internet-facing IP (the VM still has to go through the ISP), and if the Feds can trace an Onion route, tracing through another proxy will be a cakewalk to them.

            As for removing JaveScript, so much of the Internet now uses stateful interaction. So unless you want the world to know what you're doing (because the only way to keep state that doesn't involve JavaScript and/or cookies is to encode it in the URL like in the OLD days), we're stuck with it.

            1. BlueGreen

              Re: Inevitable?

              > A VM isn't going to do squat for concealing your Internet-facing IP

              Obviously, and I never said it would. Using a VM sandboxes dodgy JS behaviour away from your real machine, that's all. Also allows it to roll back to clean states for extra security.

              > As for removing JaveScript, so much of the Internet now uses stateful interaction

              And will continue to to so while people like you allow their unnecessary indulgencies.

              > that doesn't involve [...] cookies

              Cookies stay on my machine just long enough to do what I want, like posting here, then get nuked. And I don't have java, flash, silverlight or whatever. Cookies are fine, just kill them after.

              Com on, fight back. It looks like you aren't prepared to do the smallest thing if it inconveniences you.

              FFS MS used to deliberately obscure their sites unless you had JS running (even plain text!), but they've woken up now. Things *can* change.

              *come on* stop being so goddamn passive.

              1. Anonymous Coward
                FAIL

                Re: Inevitable?

                Back in the very earliest days (beta 1.0) VMWare Workstation, the first thing I did with the beast was create a virtual machine and stuffed Windows in it. Then I took that and created a "golden master" (password protected zip). From then on, that was my tool for the web and, as you say, simply powered it down at the end of a session, no save. It's not rocket science, or maybe it is but I have no idea why. And yes, I can do nuclear engineering or even rocket science just fine, thank you.

                Why aren't we doing this with ALL problematic software? Or for work/play separations? For F's sake, it's been a decade and a half. The hardware is there, even on my first-gen Nexus 7 let alone something heftier.

        2. Pascal Monett Silver badge

          Re: This is 2013

          Yes, and I should now have the power to decide what runs on my machine and what doesn't.

          I should be able to block JavaScript until I decide that I wish it to run. Telling me that there are more and more sites that use it is not an excuse. It should still be in my power to decide.

          There are sites that are entirely made of Flash animations - I can still decide whether or not I want to see them. If I don't, I am aware that I will not access any site content. My choice.

          It's about choice.

          1. Charles 9

            Re: This is 2013

            "It's about choice."

            The trouble with choice is that it goes BOTH ways. The provider will demand a price for entry, and if you don't like it and it's the only provider, do the letters SOL ring a bell?

            As for VMs, haven't there been VM sniffers, breakout exploits, and Ring -1 malware popping up from time to time? Any of those can mean they break through the VM onto your actual machine, where they can wreak havoc from there.

            As for not allowing JavaScript or the like, so you never do any shopping or anything else that requires stateful interaction (a shopping cart is a stateful interaction, as in it keep track of stuff)? The only way to do that without cookies or JS is to keep the session in the URL, which if you'll recall mean it's open for hijacking.

  5. Henry Wertz 1 Gold badge

    Letters?

    Are they really claiming that it takes the browser different lengths of time to draw each letter? How odd, I would not have expected that.

    1. Anonymous Coward
      Anonymous Coward

      Re: Letters?

      If you're measuring time to the MICROsecond (as the article proposes), then differences CAN be determined.

    2. Robert Heffernan
      Headmaster

      Re: Letters?

      Letters do take differing amounts of time to render in that the source of the pixel data is vector based and the time taken to process the math to rasterise the letter is unique.

      1. BlueGreen

        Re: Letters? @ Robert Heffernan

        Text is not rendered like that at all (AFAIK it's rendered that way to a buffer, once per character per typeface in use, then block copied to the visible display on demand, else it would be unbearably slow), and from my *very* quick skim of the paper, that's nothing to do with how this attack works.

This topic is closed for new posts.

Other stories you might like