Re: New techniques expose browsing history to hackers

[Arlen_Holder]

On Sun, 04 Nov 2018 15:57:18 +0100, Yrrah wrote:
> The techniques fall into the category of 'history sniffing' attacks
> <https://ucsdnews.ucsd.edu/pressrelease/history_sniffing>
> <https://www.ghacks.net/2018/11/04/browser-history-sniffing-is-still-a-thing/>

"The attacks the researchers developed, in the form of JavaScript code,
cause web browsers to behave differently based on whether a website had
been visited or not."

Chrome = all 5 attacks worked
Firefox = 2 attacks worked
Edge = 2 attacks worked
Tor Browser = none worked
Brave = all 5 worked
FuzzyFox = 2 worked
DeterFox = 2 worked
IE = 2 worked

o A victim navigates to a page containing the attack
o The attack the code runs through a list of thousands of URLs/sec
o The attack code determines which of those URLs have been visited
o The attack can only compare visited URLs to a known list of URLs

Examples
o The Chrome "CSS Paint API" allowed 6,000 URLs a second.
o Visited URLs show up in purple instead of in blue

Attack 1:
Use the CSS Paint API to determine whether a particular URL was visited by
a user by "crafting a link element that gets re-painted only if its
associated URL is visited" and monitoring timing information to determine
if a re-paint event took place.

Attack 2:
Stack CSS 3D transforms on other CSS styles to create link elements and
toggle "the link element between two different destination URLS" to
identify re-paint operations.

Attack 3:
Embed a complex SVG image inside a link element and use a "series of CSS
fill rules under :visited selectors" to determine the visited status of a
link.

Attack 4:
Use Chrome's bytecode cache to determine whether a JavaScript source file
was loaded previously in the browser.

Paper: <https://www.spinda.net/papers/smith-2018-revisited.pdf>

--
As always, so all benefit from every action.

[Wolf K]

On 2018-11-04 10:35, Arlen_Holder wrote:
> On Sun, 04 Nov 2018 15:57:18 +0100, Yrrah wrote:
>> The techniques fall into the category of 'history sniffing' attacks
>> <https://ucsdnews.ucsd.edu/pressrelease/history_sniffing>
>> <https://www.ghacks.net/2018/11/04/browser-history-sniffing-is-still-a-thing/>
> "The attacks the researchers developed, in the form of JavaScript code,
> cause web browsers to behave differently based on whether a website had
> been visited or not."

Interesting.

Defence: Clear History on exit from browser and/or clear manually at
regular intervals.

--
Wolf K
kirkwood40.blogspot.com
"Gentics is not genealogy." (Gragham Coop, Ph.D.)

[Sjouke Burry]

On 4-11-2018 17:12, Wolf K wrote:
> On 2018-11-04 10:35, Arlen_Holder wrote:
>> On Sun, 04 Nov 2018 15:57:18 +0100, Yrrah wrote:
>>> The techniques fall into the category of 'history sniffing' attacks
>>> <https://ucsdnews.ucsd.edu/pressrelease/history_sniffing>
>>> <https://www.ghacks.net/2018/11/04/browser-history-sniffing-is-still-a-thing/>
>> "The attacks the researchers developed, in the form of JavaScript code,
>> cause web browsers to behave differently based on whether a website had
>> been visited or not."
>
> Interesting.
>
> Defence: Clear History on exit from browser and/or clear manually at
> regular intervals.
>

Jabut... I always do that, BUT.... Ccleaner finds about 30 kookies??
It should find zero kookies.
Then a fresh start with google as homepage, and immediately quiting,
Ccleaner then finds 1 kookie , size 628KB Caramba!!

Now what's wrong??

[Arlen_Holder]

On Sun, 4 Nov 2018 11:12:35 -0500, Wolf K wrote:

> Interesting.
>
> Defence: Clear History on exit from browser and/or clear manually at
> regular intervals.

Good advice Wolf K,
If folks know of better ways to clear history, let us know.

The two ways I know of to easily clear history are
o Set each browser to private mode (clear history on exit), or
o Set the start page to the clear-history settings

Example of private mode setting:
o <https://www.howtogeek.com/137466/how-to-always-start-any-browser-in-private-browsing-mode/>

Example of start page setting:
o chrome://settings/clearBrowserData

While Chrome has no problem opening directly to the "clear" button, I can't
get Firefox to do it as neatly as Chrome does it (with the button staring
you in the face).

The closest I can get Firefox to open to is this:
o about:preferences#privacy
But what I want is something like this to highlight the clear button:
o about:preferences#privacy%20clear%20data

If there are Firefox experts out there who know how to streamline the
"start in" page so only the clear button is visible in Firefox, that would
help.

<https://support.mozilla.org/en-US/kb/storage?&as=u&redirectslug=permission-store-data&#w_clear-all-information>

[Wolf K]

Yeah, cookies.... You can clear those too, manually under ...History -
"clear individual cookies." But this works only for the current session,
or until you access that website again. Since many websites use the
tracking services, accessing another site will install the cookies
you've just cleared. FF offers Tracking Protection, but I don't know how
good it is. Seems like only the Tor browser can hide you completely.

However, cookies necessary for a lot of online stuff (eg, banking, if
you do that). It used to be simple to block cookies, but for every
defence there's sooner or later a new offence.

The three laws of thermodynamics are relevant I think. :-)

1. "You can't win"
2. "You can't break even."
3. "You can't get out of the game."

Best,

[R.Wieser]

Sjouke,

> It should find zero kookies.

Not quite. Cookies are also used for rather beign purposes, like storing
a session ID. That way you do not need to re-login when you move from one
page to the next. :-)

> Ccleaner then finds 1 kookie , size 628KB Caramba!!

That does not sound like a normal cookie, as those are rather small
textfiles. Do you maybe have Flash installed ? It might have slipped it
that way. Also, which browser (type and version) ?

In other words, see if you can get Ccleaner to tell you a bit more about
that cookie, like where it was found.

Also, I suggest revisiting the settings of your browser. Nowerdays most of
them allow you to set cookies to "session only", meaning that they get
erased when you exit the browser. Also, see if you can disable
"third-party cookies".

Ofcourse, that could cause problems on websites which use persistent cookies
(to store preferences for that site). So, see if your browser allows you
to exclude certain website from the first-party cookies-clearing process.

As for the "attack" itself ? Thats a rather old one (a few years), and
simple. It only needs to look at the color of the link.

Regards,
Rudy Wieser

[Keith Nuttle]

On 11/4/2018 11:52 AM, Arlen_Holder wrote:
> The closest I can get Firefox to open to is this:

> oabout:preferences#privacy

> But what I want is something like this to highlight the clear button:

> oabout:preferences#privacy%20clear%20data

>
> If there are Firefox experts out there who know how to streamline the
> "start in" page so only the clear button is visible in Firefox, that would
> help

In Firefox why don't you go to Tools, Options, Privacy and Security. in
the History section set Firefox to "Use Custom settings for History" and
then in Settings tell Firefox what you want to clear on closing.

In that same History section there is a button "Clear History" to do it
manually.

--
2018: The year we learn to play the great game of Euchre

[Shadow]

On Sun, 04 Nov 2018 15:57:18 +0100, Yrrah <Yrra...@acf.invalid>
wrote:

>"Security researchers have discovered four new ways to expose Internet
>users' browsing histories. These techniques could be used by hackers
>to learn which websites users have visited as they surf the web.
>The techniques fall into the category of 'history sniffing' attacks, a
>concept dating back to the early 2000s. But the attacks demonstrated
>by the researchers at the 2018 USENIX Workshop on Offensive
>Technologies (WOOT) in Baltimore can profile or ‘fingerprint’ a user’s
>online activity in a matter of seconds, and work across recent
>versions of major web browsers.(...)"
>"The researchers reported the issues to browser developers but patches
>for these attacks may take months to implement."
>Articles:
><https://ucsdnews.ucsd.edu/pressrelease/history_sniffing>
>and
><https://www.ghacks.net/2018/11/04/browser-history-sniffing-is-still-a-thing/>
>
>For the paranoid? Anyway, happy browsing...

Open Firefox, set everything to private browsing, clear
cookies, clear history, clear cache etc et al on exit. Disable java,
flash etc.
Close Firefox.
Start Firefox.
Visit a dozen different sites.
Close Firefox.
Pull the plug on the Internet.

Open firefox and put
"about:cache"
in the address.
You should at least 10 profiling UniqueIDs in there. They are
usually disguised as certs or just binary junk, but they are
fingerprints.

Delete them all. Repeat.
They're back !!!!
[]'s
--
Don't be evil - Google 2004
We have a new policy - Google 2012

[Arlen_Holder]

On Sun, 4 Nov 2018 14:39:23 -0500, Keith Nuttle wrote:

> In Firefox why don't you go to Tools, Options, Privacy and Security. in
> the History section set Firefox to "Use Custom settings for History" and
> then in Settings tell Firefox what you want to clear on closing.
>
> In that same History section there is a button "Clear History" to do it
> manually.

That's exactly why I said there are _two_ ways to accomplish the task.

o Set each browser to private mode (clear history on exit), or
o Set the start page to the clear-history settings

What you suggest is the first way, which has its own pros and cons.
I was asking about the second way (which has different pros and cons).

This works beautifully, for example, in Chrome as the start page:
o chrome://settings/clearBrowserData
But I can't get any better of a start page for Firefox, than this:
o about:preferences#privacy

Again, there are _two_ methods, where each has pros and cons
o Losing everything every time you close the browser, or,
o Ditching everything on command, if and when you feel like it.

You're suggesting the former where I'm asking how to improve the latter.

[Arlen_Holder]

On Sun, 4 Nov 2018 19:00:38 +0100, R.Wieser wrote:

> As for the "attack" itself ? Thats a rather old one (a few years), and
> simple. It only needs to look at the color of the link.

I'm not sure which attack you speak of, Rudy, but the researchers found
relative _new_ attacks, some of which remain to this day, where they used
new functionality in the browser for these new'ish attacks.
<https://www.spinda.net/papers/smith-2018-revisited.pdf>

[Mayayana]

"Wolf K" <wol...@sympatico.ca> wrote

| > "The attacks the researchers developed, in the form of JavaScript code,
| > cause web browsers to behave differently based on whether a website had
| > been visited or not."
|
| Interesting.
|
| Defence: Clear History on exit from browser and/or clear manually at
| regular intervals.

I like to keep a long history because I often
want to revisit something but don't remember
the URL.

It seems this issue needs to be kept in
perspective. The new CSS methods are a surprise
to me. Personally I'd like to be able to disable
SVG altogether, anyway. As far as I know it's
only used for social media icons. But I'm not
sure it's possible to disable it.
If you enable javascript then this, and many
other spy mechanisms, have always been possible.
A site can just use script to check the color of
links and see whether they're visited color. One
of the linked articles talks about ending that
functionality, but it's very useful to see which
links you've visited.

But what, really, is the risk? If you visit a sleazy
site they can see where you've been. So what?
Maybe CBS.com would like to know whether you
visit NBC or ABC. But unless you visit a lot of big
commercial sites you're probably not giving away
much info.

One of the articles gives an example of someone
tracking that you've visited Chase banking and then
showing you a fake Chase login. But that would
involve numerous ifs. You'd need to bank online,
which is already a big risk. You'd need to visit a
malware site that wants to track you. Your bank
would have to be one that they have a fake login
page for. They'd have to find a convincing excuse
to show you a login page.... Very farfetched as
a risk.

[nospam]

In article <prnt8r$4ja$1...@dont-email.me>, Mayayana

<maya...@invalid.nospam> wrote:

> | > "The attacks the researchers developed, in the form of JavaScript code,
> | > cause web browsers to behave differently based on whether a website had
> | > been visited or not."
> |
> | Interesting.
> |
> | Defence: Clear History on exit from browser and/or clear manually at
> | regular intervals.
>
> I like to keep a long history because I often
> want to revisit something but don't remember
> the URL.

bookmark it.

[Keith Nuttle]

On 11/4/2018 4:14 PM, Arlen_Holder wrote:
> That's exactly why I said there are_two_ ways to accomplish the task.

> o Set each browser to private mode (clear history on exit), or
> o Set the start page to the clear-history settings

With Firefox to clear history on exit, you do NOT need to be in the
Private Mode. It works in the normal mode.

I have my system set up to clear the History on exit, I do not run in
the private mode. The history is always clear when I exit Firefox.

[R.Wieser]

Arlen,

> I'm not sure which attack you speak of, Rudy, but the researchers
> found relative _new_ attacks

Yeah, I noticed. Timing how long it takes to satisfy the request. If its
fast they assume its already cached.

Would be fun if they tried it on my machine, as most all third-party
requests are blocked and/or replaced by a local image. :-)


By the way, after all this time you *stil* do not know how to ask a
question, do you ? No indication of which version of FF you are using. As
you should know by now programs can change quite a bit between versions.

Especially true for FF, as it has recently had a big change in regard to its
plugins. Both of which are also the reason why your question is absolutily
worthless in the XP newsgroup: I could exactly tell you what to do where to
get a better grip on how cookies are handled [1], but as FF 52 is the last
version that wll work on XP there is little chance it will be of any value
to you.

[1] Which I was not planning on doing by the way, as you have got Google at
your fingertips and should be doing your own searching BEFORE asking (took
me 5 seconds to google the answer).

One suggestion though: Take a look at the available plugins for your version
of FF (you can do that from the browsers plugin settings page - for my
version of FF. YMMV). Maybe, just maybe someone already rewrote an
old-style "clear history" plugin button for on the toolbar.

... Not that you will need it if you set FF to reject third-party cookies
mind you. :-)

Regards,
Rudy Wieser

## End of transmission, do the rest yourself.