![Page 1: Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm](https://reader035.vdocuments.net/reader035/viewer/2022062304/56649e2c5503460f94b1c085/html5/thumbnails/1.jpg)
Invasive Browser Sniffing and Countermeasures
Markus Jakobsson & Sid Stamm
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
Qu
ickTim
e™
an
d a
TIF
F (
Uncom
pre
sse
d)
de
com
pre
ssor
are
nee
de
d t
o s
ee t
his
pic
ture
.
Qu
ickTim
e™
and
aTIF
F (
Uncom
pre
ssed
) d
ecom
pre
sso
rare
need
ed
to
see
th
is p
ictu
re.
QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.
Qu
ickTim
e™
an
d a
TIF
F (
Un
com
pre
sse
d)
deco
mpre
ssor
are
nee
de
d t
o s
ee t
his
pic
ture
.
QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.
![Page 2: Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm](https://reader035.vdocuments.net/reader035/viewer/2022062304/56649e2c5503460f94b1c085/html5/thumbnails/2.jpg)
![Page 3: Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm](https://reader035.vdocuments.net/reader035/viewer/2022062304/56649e2c5503460f94b1c085/html5/thumbnails/3.jpg)
![Page 4: Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm](https://reader035.vdocuments.net/reader035/viewer/2022062304/56649e2c5503460f94b1c085/html5/thumbnails/4.jpg)
Context Aware Attacks
• Data about targets obtained
• Used to customize emails
• Yields higher vulnerability rate
![Page 5: Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm](https://reader035.vdocuments.net/reader035/viewer/2022062304/56649e2c5503460f94b1c085/html5/thumbnails/5.jpg)
Context: Social Networks
• Mine site for relationships(Alice knows Bob)
• Spoof email from victim’s friend
• People trust their friends (and that which spoofs them)
![Page 6: Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm](https://reader035.vdocuments.net/reader035/viewer/2022062304/56649e2c5503460f94b1c085/html5/thumbnails/6.jpg)
Context: Browser-Recon
• Phisher mines browsers– Browsing history– Cached data
• Attacker can discover affiliations
• Easy to pair browser history with email address
![Page 7: Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm](https://reader035.vdocuments.net/reader035/viewer/2022062304/56649e2c5503460f94b1c085/html5/thumbnails/7.jpg)
Context: Cache Recon
GET /index.html
GET /pics/pic1.jpg
GET /pics/pic2.jpg
…
Pic1.jpg is Not in Cache
(pic1.jpg is not cached)
![Page 8: Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm](https://reader035.vdocuments.net/reader035/viewer/2022062304/56649e2c5503460f94b1c085/html5/thumbnails/8.jpg)
Context: Cache Recon
GET /index.html
…
Pic1.jpg IS in Cache
(pic1.jpg is cached)
![Page 9: Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm](https://reader035.vdocuments.net/reader035/viewer/2022062304/56649e2c5503460f94b1c085/html5/thumbnails/9.jpg)
Context: Cache Recon
GET pic1.jpg
GET pic2.jpg
GET logout.jpg
(Felten & Schneider, “Timing Attacks on Web Privacy”7th ACM Conference in Computer & Communication Security, 2000.)
![Page 10: Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm](https://reader035.vdocuments.net/reader035/viewer/2022062304/56649e2c5503460f94b1c085/html5/thumbnails/10.jpg)
Context: History Recon
Link 1
Link 2
Link 3
<style>a { color: blue; }#id1:visited { color: red; }#id2:visited { color: red; }#id3:visited { color: red; }</style>
<a id=id1 href=“x.com”>Link 1</a><a id=id2 href=“y.com”>Link 2</a><a id=id3 href=“z.com”>Link 3</a>
What You See: The Code:
![Page 11: Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm](https://reader035.vdocuments.net/reader035/viewer/2022062304/56649e2c5503460f94b1c085/html5/thumbnails/11.jpg)
Context: History Recon
Link 1
Link 3
<style>a { color: blue; }#id1:visited { background: url(‘e.com/?id=1’); }#id2:visited { background: url(‘e.com/?id=2’); }…</style><a id=id1 href=“x.com”>Link 1</a><a id=id2 href=“y.com”>Link 2</a><a id=id3 href=“z.com”>Link 3</a>
What You See: The Code:
Link 2
![Page 12: Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm](https://reader035.vdocuments.net/reader035/viewer/2022062304/56649e2c5503460f94b1c085/html5/thumbnails/12.jpg)
Context: History Recon
<style>a { color: blue; }#id1:visited { background: url(‘e.com/?id=1’); }#id2:visited { background: url(‘e.com/?id=2’); }…</style><a id=id1 href=“x.com”></a><a id=id2 href=“y.com”></a><a id=id3 href=“z.com”></a>
What You See: The Code:
![Page 13: Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm](https://reader035.vdocuments.net/reader035/viewer/2022062304/56649e2c5503460f94b1c085/html5/thumbnails/13.jpg)
History Recon + Email
GET /[email protected]
(lots of links)
GET /hit?id=1&[email protected]
GET /hit?id=42&[email protected]
Phisher can nowassociate Alice withlink 1 and 42
Auto-Fill Identity Extraction
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
![Page 14: Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm](https://reader035.vdocuments.net/reader035/viewer/2022062304/56649e2c5503460f94b1c085/html5/thumbnails/14.jpg)
“Chameleon” Attack
![Page 15: Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm](https://reader035.vdocuments.net/reader035/viewer/2022062304/56649e2c5503460f94b1c085/html5/thumbnails/15.jpg)
Solutions to Browser-recon• Client-Side Solutions:
– Jackson, Bortz, Boneh Mitchell, “Protecting browser state from web privacy attacks”, To appear in WWW06, 2006.
– CSS limiting– “User-Paranoia”
(regularly clear history, cache, keep no bookmarks)
• Server-Side Solution:– Make URLs impossible to guess
![Page 16: Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm](https://reader035.vdocuments.net/reader035/viewer/2022062304/56649e2c5503460f94b1c085/html5/thumbnails/16.jpg)
Solution Goals
Requirements
1. Hard to guess any pages or resources served by SP
2. Search engines can still index and search SP
![Page 17: Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm](https://reader035.vdocuments.net/reader035/viewer/2022062304/56649e2c5503460f94b1c085/html5/thumbnails/17.jpg)
Formal Goal Specification
![Page 18: Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm](https://reader035.vdocuments.net/reader035/viewer/2022062304/56649e2c5503460f94b1c085/html5/thumbnails/18.jpg)
Formal Goal Specification
![Page 19: Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm](https://reader035.vdocuments.net/reader035/viewer/2022062304/56649e2c5503460f94b1c085/html5/thumbnails/19.jpg)
Solution Techniques
• Two techniques:1. Customize URLs with pseudonyms
http://chase.com/page.html?39fc938f2. Pollute Client State
(fill cache/history with related sites not visited by client)
• Hiding vs. obfuscating• Internal (protected) URLs hidden• Entry point (public) URLs obfuscated
![Page 20: Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm](https://reader035.vdocuments.net/reader035/viewer/2022062304/56649e2c5503460f94b1c085/html5/thumbnails/20.jpg)
Solution to Browser-recon
SC
GET /
![Page 21: Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm](https://reader035.vdocuments.net/reader035/viewer/2022062304/56649e2c5503460f94b1c085/html5/thumbnails/21.jpg)
Solution to Browser-recon
SBC ST
GET /?13fc021b GET /
T
Domain of S
![Page 22: Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm](https://reader035.vdocuments.net/reader035/viewer/2022062304/56649e2c5503460f94b1c085/html5/thumbnails/22.jpg)
Pseudonyms
• Establishing a pseudonym
• Using a pseudonym
• Pseudonym validity check– Via Cookies– Via HTTP-REFERER– Via Message Authentication Codes
![Page 23: Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm](https://reader035.vdocuments.net/reader035/viewer/2022062304/56649e2c5503460f94b1c085/html5/thumbnails/23.jpg)
Pseudonyms
• Robot Policies– Dealing with search engines– Robots.txt “standard” (no problem if cheating)
• Pollution Policy– Pollute entrance URLs– How to choose pollutants?
• What about links to offsite data?• Bookmarks?
![Page 24: Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm](https://reader035.vdocuments.net/reader035/viewer/2022062304/56649e2c5503460f94b1c085/html5/thumbnails/24.jpg)
Example
Bank.comC 10.0.0.1
GET /page.html?83fa029 GET /page.html
![Page 25: Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm](https://reader035.vdocuments.net/reader035/viewer/2022062304/56649e2c5503460f94b1c085/html5/thumbnails/25.jpg)
Example
<a href=‘http://www.g.com’>Go to G</a><a href=‘http://10.0.0.1/login.jsp’>Log in</a><img src=‘/img/hi.gif’>
Bank.comC 10.0.0.1
hm
![Page 26: Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm](https://reader035.vdocuments.net/reader035/viewer/2022062304/56649e2c5503460f94b1c085/html5/thumbnails/26.jpg)
Example
<a href=‘http://www.g.com’>Go to G</a><a href=‘http://Bank.com/login.jsp’>Log in</a><img src=‘/img/hi.gif’>
Bank.comC 10.0.0.1
hm
![Page 27: Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm](https://reader035.vdocuments.net/reader035/viewer/2022062304/56649e2c5503460f94b1c085/html5/thumbnails/27.jpg)
Example
<a href=‘http://Bank.com/redir?www.g.com’>Go to G</a><a href=‘http://Bank.com/login.jsp’>Log in</a><img src=‘/img/hi.gif’>
Bank.comC 10.0.0.1
hm
![Page 28: Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm](https://reader035.vdocuments.net/reader035/viewer/2022062304/56649e2c5503460f94b1c085/html5/thumbnails/28.jpg)
Example
<a href=‘http://Bank.com/redir?www.g.com?83fa029’>Go to G</a><a href=‘http://Bank.com/login.jsp?83fa029’>Log in</a><img src=‘/img/hi.gif?83fa029’>
Bank.comC 10.0.0.1
hm
![Page 29: Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm](https://reader035.vdocuments.net/reader035/viewer/2022062304/56649e2c5503460f94b1c085/html5/thumbnails/29.jpg)
Example
<a href=‘http://Bank.com/redir?www.g.com?83fa029’>Go to G</a><a href=‘http://Bank.com/login.jsp?83fa029’>Log in</a><img src=‘/img/hi.gif?83fa029’>
Bank.comC 10.0.0.1T
![Page 30: Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm](https://reader035.vdocuments.net/reader035/viewer/2022062304/56649e2c5503460f94b1c085/html5/thumbnails/30.jpg)
Client’s Perception
QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.
![Page 31: Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm](https://reader035.vdocuments.net/reader035/viewer/2022062304/56649e2c5503460f94b1c085/html5/thumbnails/31.jpg)
Policies
• Offsite Redirection Policy
• Data Replacement Policy
• Client vs. Robot Distinction
![Page 32: Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm](https://reader035.vdocuments.net/reader035/viewer/2022062304/56649e2c5503460f94b1c085/html5/thumbnails/32.jpg)
Special Cases
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.Cache pollution reciprocity
Shared/Transfer Pseudonyms
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
![Page 33: Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm](https://reader035.vdocuments.net/reader035/viewer/2022062304/56649e2c5503460f94b1c085/html5/thumbnails/33.jpg)
Prototype Details
• Java App simulating an HTTP server
• Pseudonyms: 64-bit random number– java.security.SecureRandom
• Experimental Client:– Shell script + CURL
SBST
![Page 34: Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm](https://reader035.vdocuments.net/reader035/viewer/2022062304/56649e2c5503460f94b1c085/html5/thumbnails/34.jpg)
Experimental Results
![Page 35: Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm](https://reader035.vdocuments.net/reader035/viewer/2022062304/56649e2c5503460f94b1c085/html5/thumbnails/35.jpg)
Experimental Results
![Page 36: Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm](https://reader035.vdocuments.net/reader035/viewer/2022062304/56649e2c5503460f94b1c085/html5/thumbnails/36.jpg)
Experimental Results
![Page 37: Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm](https://reader035.vdocuments.net/reader035/viewer/2022062304/56649e2c5503460f94b1c085/html5/thumbnails/37.jpg)
Experimental Results
![Page 38: Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm](https://reader035.vdocuments.net/reader035/viewer/2022062304/56649e2c5503460f94b1c085/html5/thumbnails/38.jpg)
General Considerations
• Forwarding user-agent
• Translate Cookies
• Optimizations
![Page 39: Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm](https://reader035.vdocuments.net/reader035/viewer/2022062304/56649e2c5503460f94b1c085/html5/thumbnails/39.jpg)
Invasive Browser Sniffing and Countermeasures
Markus Jakobsson & Sid Stamm
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.
?
QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.