If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
New techniques expose browsing history to hackers
On Sun, 04 Nov 2018 15:57:18 +0100, Yrrah wrote:
The techniques fall into the category of 'history sniffing' attacks https://ucsdnews.ucsd.edu/pressrelease/history_sniffing https://www.ghacks.net/2018/11/04/browser-history-sniffing-is-still-a-thing/ "The attacks the researchers developed, in the form of JavaScript code, cause web browsers to behave differently based on whether a website had been visited or not." Chrome = all 5 attacks worked Firefox = 2 attacks worked Edge = 2 attacks worked Tor Browser = none worked Brave = all 5 worked FuzzyFox = 2 worked DeterFox = 2 worked IE = 2 worked o A victim navigates to a page containing the attack o The attack the code runs through a list of thousands of URLs/sec o The attack code determines which of those URLs have been visited o The attack can only compare visited URLs to a known list of URLs Examples o The Chrome "CSS Paint API" allowed 6,000 URLs a second. o Visited URLs show up in purple instead of in blue Attack 1: Use the CSS Paint API to determine whether a particular URL was visited by a user by "crafting a link element that gets re-painted only if its associated URL is visited" and monitoring timing information to determine if a re-paint event took place. Attack 2: Stack CSS 3D transforms on other CSS styles to create link elements and toggle "the link element between two different destination URLS" to identify re-paint operations. Attack 3: Embed a complex SVG image inside a link element and use a "series of CSS fill rules under :visited selectors" to determine the visited status of a link. Attack 4: Use Chrome's bytecode cache to determine whether a JavaScript source file was loaded previously in the browser. Paper: https://www.spinda.net/papers/smith-2018-revisited.pdf -- As always, so all benefit from every action. |
Ads |
#2
|
|||
|
|||
New techniques expose browsing history to hackers
On 4-11-2018 17:12, Wolf K wrote:
On 2018-11-04 10:35, Arlen_Holder wrote: On Sun, 04 Nov 2018 15:57:18 +0100, Yrrah wrote: The techniques fall into the category of 'history sniffing' attacks https://ucsdnews.ucsd.edu/pressrelease/history_sniffing https://www.ghacks.net/2018/11/04/browser-history-sniffing-is-still-a-thing/ "The attacks the researchers developed, in the form of JavaScript code, cause web browsers to behave differently based on whether a website had been visited or not." Interesting. Defence: Clear History on exit from browser and/or clear manually at regular intervals. Jabut... I always do that, BUT.... Ccleaner finds about 30 kookies?? It should find zero kookies. Then a fresh start with google as homepage, and immediately quiting, Ccleaner then finds 1 kookie , size 628KB Caramba!! Now what's wrong?? |
#3
|
|||
|
|||
New techniques expose browsing history to hackers
On Sun, 4 Nov 2018 11:12:35 -0500, Wolf K wrote:
Interesting. Defence: Clear History on exit from browser and/or clear manually at regular intervals. Good advice Wolf K, If folks know of better ways to clear history, let us know. The two ways I know of to easily clear history are o Set each browser to private mode (clear history on exit), or o Set the start page to the clear-history settings Example of private mode setting: o https://www.howtogeek.com/137466/how-to-always-start-any-browser-in-private-browsing-mode/ Example of start page setting: o chrome://settings/clearBrowserData While Chrome has no problem opening directly to the "clear" button, I can't get Firefox to do it as neatly as Chrome does it (with the button staring you in the face). The closest I can get Firefox to open to is this: o aboutreferences#privacy But what I want is something like this to highlight the clear button: o aboutreferences#privacy%20clear%20data If there are Firefox experts out there who know how to streamline the "start in" page so only the clear button is visible in Firefox, that would help. https://support.mozilla.org/en-US/kb/storage?&as=u&redirectslug=permission-store-data&#w_clear-all-information |
#4
|
|||
|
|||
New techniques expose browsing history to hackers
Sjouke,
It should find zero kookies. Not quite. Cookies are also used for rather beign purposes, like storing a session ID. That way you do not need to re-login when you move from one page to the next. :-) Ccleaner then finds 1 kookie , size 628KB Caramba!! That does not sound like a normal cookie, as those are rather small textfiles. Do you maybe have Flash installed ? It might have slipped it that way. Also, which browser (type and version) ? In other words, see if you can get Ccleaner to tell you a bit more about that cookie, like where it was found. Also, I suggest revisiting the settings of your browser. Nowerdays most of them allow you to set cookies to "session only", meaning that they get erased when you exit the browser. Also, see if you can disable "third-party cookies". Ofcourse, that could cause problems on websites which use persistent cookies (to store preferences for that site). So, see if your browser allows you to exclude certain website from the first-party cookies-clearing process. As for the "attack" itself ? Thats a rather old one (a few years), and simple. It only needs to look at the color of the link. Regards, Rudy Wieser |
#5
|
|||
|
|||
New techniques expose browsing history to hackers
On 11/4/2018 11:52 AM, Arlen_Holder wrote:
The closest I can get Firefox to open to is this: oaboutreferences#privacy But what I want is something like this to highlight the clear button: oaboutreferences#privacy%20clear%20data If there are Firefox experts out there who know how to streamline the "start in" page so only the clear button is visible in Firefox, that would help In Firefox why don't you go to Tools, Options, Privacy and Security. in the History section set Firefox to "Use Custom settings for History" and then in Settings tell Firefox what you want to clear on closing. In that same History section there is a button "Clear History" to do it manually. -- 2018: The year we learn to play the great game of Euchre |
#6
|
|||
|
|||
New techniques expose browsing history to hackers
On Sun, 4 Nov 2018 14:39:23 -0500, Keith Nuttle wrote:
In Firefox why don't you go to Tools, Options, Privacy and Security. in the History section set Firefox to "Use Custom settings for History" and then in Settings tell Firefox what you want to clear on closing. In that same History section there is a button "Clear History" to do it manually. That's exactly why I said there are _two_ ways to accomplish the task. o Set each browser to private mode (clear history on exit), or o Set the start page to the clear-history settings What you suggest is the first way, which has its own pros and cons. I was asking about the second way (which has different pros and cons). This works beautifully, for example, in Chrome as the start page: o chrome://settings/clearBrowserData But I can't get any better of a start page for Firefox, than this: o aboutreferences#privacy Again, there are _two_ methods, where each has pros and cons o Losing everything every time you close the browser, or, o Ditching everything on command, if and when you feel like it. You're suggesting the former where I'm asking how to improve the latter. |
#7
|
|||
|
|||
New techniques expose browsing history to hackers
On Sun, 4 Nov 2018 19:00:38 +0100, R.Wieser wrote:
As for the "attack" itself ? Thats a rather old one (a few years), and simple. It only needs to look at the color of the link. I'm not sure which attack you speak of, Rudy, but the researchers found relative _new_ attacks, some of which remain to this day, where they used new functionality in the browser for these new'ish attacks. https://www.spinda.net/papers/smith-2018-revisited.pdf |
#8
|
|||
|
|||
New techniques expose browsing history to hackers
In article , Mayayana
wrote: | "The attacks the researchers developed, in the form of JavaScript code, | cause web browsers to behave differently based on whether a website had | been visited or not." | | Interesting. | | Defence: Clear History on exit from browser and/or clear manually at | regular intervals. I like to keep a long history because I often want to revisit something but don't remember the URL. bookmark it. |
#9
|
|||
|
|||
New techniques expose browsing history to hackers
"Wolf K" wrote
| "The attacks the researchers developed, in the form of JavaScript code, | cause web browsers to behave differently based on whether a website had | been visited or not." | | Interesting. | | Defence: Clear History on exit from browser and/or clear manually at | regular intervals. I like to keep a long history because I often want to revisit something but don't remember the URL. It seems this issue needs to be kept in perspective. The new CSS methods are a surprise to me. Personally I'd like to be able to disable SVG altogether, anyway. As far as I know it's only used for social media icons. But I'm not sure it's possible to disable it. If you enable javascript then this, and many other spy mechanisms, have always been possible. A site can just use script to check the color of links and see whether they're visited color. One of the linked articles talks about ending that functionality, but it's very useful to see which links you've visited. But what, really, is the risk? If you visit a sleazy site they can see where you've been. So what? Maybe CBS.com would like to know whether you visit NBC or ABC. But unless you visit a lot of big commercial sites you're probably not giving away much info. One of the articles gives an example of someone tracking that you've visited Chase banking and then showing you a fake Chase login. But that would involve numerous ifs. You'd need to bank online, which is already a big risk. You'd need to visit a malware site that wants to track you. Your bank would have to be one that they have a fake login page for. They'd have to find a convincing excuse to show you a login page.... Very farfetched as a risk. |
#10
|
|||
|
|||
New techniques expose browsing history to hackers
On 11/4/2018 4:14 PM, Arlen_Holder wrote:
That's exactly why I said there are_two_ ways to accomplish the task. o Set each browser to private mode (clear history on exit), or o Set the start page to the clear-history settings With Firefox to clear history on exit, you do NOT need to be in the Private Mode. It works in the normal mode. I have my system set up to clear the History on exit, I do not run in the private mode. The history is always clear when I exit Firefox. -- 2018: The year we learn to play the great game of Euchre |
#11
|
|||
|
|||
New techniques expose browsing history to hackers
Arlen,
I'm not sure which attack you speak of, Rudy, but the researchers found relative _new_ attacks Yeah, I noticed. Timing how long it takes to satisfy the request. If its fast they assume its already cached. Would be fun if they tried it on my machine, as most all third-party requests are blocked and/or replaced by a local image. :-) By the way, after all this time you *stil* do not know how to ask a question, do you ? No indication of which version of FF you are using. As you should know by now programs can change quite a bit between versions. Especially true for FF, as it has recently had a big change in regard to its plugins. Both of which are also the reason why your question is absolutily worthless in the XP newsgroup: I could exactly tell you what to do where to get a better grip on how cookies are handled [1], but as FF 52 is the last version that wll work on XP there is little chance it will be of any value to you. [1] Which I was not planning on doing by the way, as you have got Google at your fingertips and should be doing your own searching BEFORE asking (took me 5 seconds to google the answer). One suggestion though: Take a look at the available plugins for your version of FF (you can do that from the browsers plugin settings page - for my version of FF. YMMV). Maybe, just maybe someone already rewrote an old-style "clear history" plugin button for on the toolbar. .... Not that you will need it if you set FF to reject third-party cookies mind you. :-) Regards, Rudy Wieser ## End of transmission, do the rest yourself. |
Thread Tools | |
Display Modes | |
|
|