invasive browser sniffing and countermeasures
Download
Skip this Video
Download Presentation
Invasive Browser Sniffing and Countermeasures

Loading in 2 Seconds...

play fullscreen
1 / 39

Invasive Browser Sniffing and Countermeasures - PowerPoint PPT Presentation


  • 167 Views
  • Uploaded on

Invasive Browser Sniffing and Countermeasures. Markus Jakobsson & Sid Stamm. Context Aware Attacks. Data about targets obtained Used to customize emails Yields higher vulnerability rate. Context: Social Networks. Mine site for relationships (Alice knows Bob)

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Invasive Browser Sniffing and Countermeasures' - barr


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
context aware attacks
Context Aware Attacks

Data about targets obtained

Used to customize emails

Yields higher vulnerability rate

context social networks
Context: Social Networks
  • Mine site for relationships(Alice knows Bob)
  • Spoof email from victim’s friend
  • People trust their friends (and that which spoofs them)
context browser recon
Context: Browser-Recon
  • Phisher mines browsers
    • Browsing history
    • Cached data
  • Attacker can discover affiliations
  • Easy to pair browser history with email address
context cache recon
GET /index.html

GET /pics/pic1.jpg

GET /pics/pic2.jpg

Context: Cache Recon

Pic1.jpg is Not in Cache

(pic1.jpg is not cached)

context cache recon1
GET /index.htmlContext: Cache Recon

Pic1.jpg IS in Cache

(pic1.jpg is cached)

context cache recon2
GET pic1.jpg

GET logout.jpg

GET pic2.jpg

Context: Cache Recon

(Felten & Schneider, “Timing Attacks on Web Privacy”7th ACM Conference in Computer & Communication Security, 2000.)

context history recon
Context: History Recon

What You See:

The Code:

Link 1

Link 2

Link 3

Link 1

Link 2

Link 3

context history recon1
Context: History Recon

What You See:

The Code:

Link 1

Link 2

Link 3

Link 1

Link 2

Link 3

context history recon2
Context: History Recon

What You See:

The Code:

history recon email
GET /[email protected]

(lots of links)

GET /[email protected]

GET /[email protected]

Phisher can nowassociate Alice withlink 1 and 42

History Recon + Email

Auto-Fill Identity Extraction

solutions to browser recon
Solutions to Browser-recon
  • Client-Side Solutions:
    • Jackson, Bortz, Boneh Mitchell, “Protecting browser state from web privacy attacks”, To appear in WWW06, 2006.
    • CSS limiting
    • “User-Paranoia” (regularly clear history, cache, keep no bookmarks)
  • Server-Side Solution:
    • Make URLs impossible to guess
solution goals
Solution Goals

Requirements

  • Hard to guess any pages or resources served by SP
  • Search engines can still index and search SP
solution techniques
Solution Techniques
  • Two techniques:
    • Customize URLs with pseudonymshttp://chase.com/page.html?39fc938f
    • Pollute Client State (fill cache/history with related sites not visited by client)
  • Hiding vs. obfuscating
    • Internal (protected) URLs hidden
    • Entry point (public) URLs obfuscated
solution to browser recon1
T

ST

SB

Solution to Browser-recon

GET /?13fc021b

GET /

C

Domain of S

pseudonyms
Pseudonyms
  • Establishing a pseudonym
  • Using a pseudonym
  • Pseudonym validity check
    • Via Cookies
    • Via HTTP-REFERER
    • Via Message Authentication Codes
pseudonyms1
Pseudonyms
  • Robot Policies
    • Dealing with search engines
    • Robots.txt “standard” (no problem if cheating)
  • Pollution Policy
    • Pollute entrance URLs
    • How to choose pollutants?
  • What about links to offsite data?
  • Bookmarks?
example
GET /page.html?83fa029

GET /page.html

Example

Bank.com

10.0.0.1

C

example1
Example

Go to G

Log in

hm

Bank.com

10.0.0.1

C

example2
Example

Go to G

Log in

hm

Bank.com

10.0.0.1

C

example3
Example

Go to G

Log in

hm

Bank.com

10.0.0.1

C

example4
Example

Go to G

Log in

hm

Bank.com

10.0.0.1

C

example5
Example

Go to G

Log in

T

Bank.com

10.0.0.1

C

policies
Policies
  • Offsite Redirection Policy
  • Data Replacement Policy
  • Client vs. Robot Distinction
special cases
Special Cases

Shared/Transfer Pseudonyms

Cache pollution reciprocity

prototype details
SB

ST

Prototype Details
  • Java App simulating an HTTP server
  • Pseudonyms: 64-bit random number
    • java.security.SecureRandom
  • Experimental Client:
    • Shell script + CURL
general considerations
General Considerations
  • Forwarding user-agent
  • Translate Cookies
  • Optimizations
ad