I Still Know What You Visited Last Summer: Leaking Browsing History via User Interaction and Side Channel Attacks

Weinberg, Zachary; Chen, Eric; Jayaraman, Pavithra Ramesh; Jackson, Collin

doi:10.1109/sp.2011.23

Cited by 83 publications

(50 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…After the disclosure, a prevention mechanism was proposed by L. David Baron of Mozilla [30] and has been adopted in the latest version of major browsers. Right after that, in May 2011, Weinberg et al [31] demonstrated a new kind of history sniffing attack that circumvents even Baron's defense and to date, no newer protection measure has been proposed.…”

Section: Protectionmentioning

confidence: 99%

Tracking the Trackers: Fast and Scalable Dynamic Analysis of Web Content for Privacy Violations

Tran

Dong

Liang

et al. 2012

Applied Cryptography and Network Security

View full text Add to dashboard Cite

Abstract. JavaScript-based applications are very popular on the web today. However, the lack of effective protection makes various kinds of privacy violation attack possible, including cookie stealing, history sniffing and behavior tracking. There have been studies of the prevalence of such attacks, but the dynamic nature of the JavaScript language makes reasoning about the information flows in a web application a challenging task. Previous small-scale studies do not present a complete picture of privacy violations of today's web, especially in the context of Internet advertisements and web analytics. In this paper we present a novel, fast and scalable architecture to address the shortcomings of previous work. Specifically, we have developed a novel technique called principal-based tainting that allows us to perform dynamic analysis of JavaScript execution with lowered performance overhead. We have crawled and measured more than one million websites. Our findings show that privacy attacks are more prevalent and serious than previously known.

show abstract

Section: Protectionmentioning

confidence: 99%

Tracking the Trackers: Fast and Scalable Dynamic Analysis of Web Content for Privacy Violations

Tran

Dong

Liang

et al. 2012

Applied Cryptography and Network Security

View full text Add to dashboard Cite

show abstract

“…This includes for instance attacks at the network level (eavesdropping on or tampering with network traffic), attacks that trick users into manually propagating sensitive information [56] or CSRF attacks that do not make use of scripts [9]. Heiderich et al [28] show that such scriptless attacks can be surprisingly powerful.…”

Section: Out-of-scope Threatsmentioning

confidence: 99%

“…Finally, users can also create such leaks by being tricked into manually propagating confidential information. These leaks are important in practice: Chen et al [17] and Weinberg et al [56] give examples of attacks such as the one discussed above. As a consequence, an important challenge when setting policies on the API is to set the policy in such a way that the world does not have any leaks itself with respect to the policy that is set.…”

Section: Non-interference Of Flowfoxmentioning

confidence: 99%

“…Hence, additional countermeasures have been implemented or proposed. Some of these are ad-hoc security checks added to the browser (e.g., to defend against history-sniffing attacks, browsers responded with prohibiting access to the computed style of HTML elements [56]), whereas others are elaborate and well thought-out research proposals to address specific subclasses of such attacks (e.g., AdJail [53] proposes an architecture to contain advertisement scripts).…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Secure multi-execution of web scripts: Theory and practice

Groef

Devriese

Nikiforakis

et al. 2014

JCS

View full text Add to dashboard Cite

Secure Multi-Execution (SME) is a precise and general information flow control mechanism that was claimed to be a good fit for implementing information flow security in browsers. We validate this claim by developing FlowFox, the first fully functional web browser that implements an information flow control mechanism for web scripts based on the technique of secure multi-execution. We provide evidence for the security of FlowFox by proving non-interference for a formal model of the essence of FlowFox, and by showing how it stops real attacks. We provide evidence of usefulness by showing how FlowFox subsumes many ad-hoc script-containment countermeasures developed over the last years. An experimental evaluation on the Alexa top-500 web sites provides evidence for compatibility, and shows that FlowFox is compatible with the current web, even on sites that make intricate use of JavaScript.The performance and memory cost of FlowFox is substantial (a performance cost of around 20% on macro benchmarks for a simple two-level policy), but not prohibitive. Our prototype implementation shows that information flow enforcement based on secure multi-execution can be implemented in full-scale browsers. It can support powerful, yet compatible policies refining the same-origin-policy in a way that is compatible with existing websites.

show abstract

“…For protecting apps on the same host, the current web API imposes complicated restrictions on inter-domain communication that admit subtle flaws [22]. By contrast, Zoog provides no cross-app communication other than a layer-3 network interface, which introduces seven CEI calls to support zero-copy packet I/O.…”

Section: Support For Networked Applicationsmentioning

confidence: 99%

The web interface should be radically refactored

Douceur

Howell

Parno

et al. 2011

Proceedings of the 10th ACM Workshop on Hot Topics in Networks

View full text Add to dashboard Cite

The Web API conflates two conflicting goals: serving developers by supporting a wide and growing suite of functionality, and providing applications with an isolated execution environment. We propose to split the API into two levels of interface: a low-level interface that governs the relationship between the application and the browser, and a set of highlevel interfaces that govern the relationship between the application and its developer. We delineate a tiny set of properties needed by the low-level interface. We argue that this restructuring provides significant benefit to both developers and users.

show abstract

I Still Know What You Visited Last Summer: Leaking Browsing History via User Interaction and Side Channel Attacks

Cited by 83 publications

References 12 publications

Tracking the Trackers: Fast and Scalable Dynamic Analysis of Web Content for Privacy Violations

Tracking the Trackers: Fast and Scalable Dynamic Analysis of Web Content for Privacy Violations

Secure multi-execution of web scripts: Theory and practice

The web interface should be radically refactored

Contact Info

Product

Resources

About