Results 1 to 11 of 11

Thread: New Sniffing Methods Expose Your Browsing History

  1. #1
    Renk's Avatar
    Join Date
    17.08.08
    Location
    Elsewhere
    P2P Client
    utorrent
    Posts
    505
    Activity Longevity
    3/20 18/20
    Today Posts
    0/5 ssssss505

    New Sniffing Methods Expose Your Browsing History

    Sniffing browser's history is not new. But recently researchers have found new ways to perform it, allowing a high sniffing rate

    The faster the attack, the longer the list of target sites an attacker can ‘sniff’ in a reasonable amount of time. The fastest history sniffing attacks have reached rates of thousands of URLs tested per second, allowing attackers to quickly put together detailed profiles of web surfers’ online activity.

    All the tested browsers (even Brave) but TBB are vulnerable to these attacks, Chrome being the most vulnerable of all:

    All of the attacks the researchers developed in their WOOT 2018 paper worked on Google Chrome. Two of the attacks also worked on a range of other browsers, from Mozilla Firefox to Microsoft Edge, as well various security-focused research browsers. The only browser which proved immune to all of the attacks is the Tor Browser, which doesn’t keep a record of browsing history in the first place.
    https://www.helpnetsecurity.com/2018...-to-attackers/



    On Firefox, it is said in the paper that turning the pref layout.css.visited_links_enabled to false should solve the issue but in fact, doesn't.
    Last edited by Renk; 06.11.18 at 03:15.
    Reply With QuoteReply With Quote
    Thanks

  2. Who Said Thanks:

    Lucius (13.11.18) , alpacino (11.11.18) , anon (07.11.18) , RapNatioNs (06.11.18) , H265 (06.11.18)

  3. #2

    Join Date
    17.10.18
    Location
    UAE - Dubai
    P2P Client
    uTorrent
    Posts
    10
    Activity Longevity
    6/20 0/20
    Today Posts
    1/5 sssssss10
    Whenever we think that we are safe then it happens.
    Kind of scary that how unsafe we are on the internet. And then of course professional people like you tell us how to be secured.
    I'm loving this community as a family.
    Reply With QuoteReply With Quote
    Thanks

  4. #3
    Moderator
    Instab's Avatar
    Join Date
    17.09.09
    Posts
    6,584
    Activity Longevity
    5/20 16/20
    Today Posts
    0/5 sssss6584
    The attacks the researchers developed, in the form of JavaScript code
    just keep js off as always
    Your account has been disabled.
    Reply With QuoteReply With Quote
    Thanks

  5. #4
    Renk's Avatar
    Join Date
    17.08.08
    Location
    Elsewhere
    P2P Client
    utorrent
    Posts
    505
    Activity Longevity
    3/20 18/20
    Today Posts
    0/5 ssssss505
    Quote Originally Posted by Instab View Post
    just keep js off as always
    Theoretically yes but (too) many site today are losing functionalities without javascript. Moreover blocking javascript uglifies them a lot. Your advice works (and is likely the most efficient advice) but it requires too much discipline and perseverance for, says, 90% of the users.
    Reply With QuoteReply With Quote
    Thanks

  6. #5
    Moderator
    Instab's Avatar
    Join Date
    17.09.09
    Posts
    6,584
    Activity Longevity
    5/20 16/20
    Today Posts
    0/5 sssss6584
    sure, there's no proper solution for the masses until the browsers fix this.
    Your account has been disabled.
    Reply With QuoteReply With Quote
    Thanks

  7. #6
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    34,869
    Activity Longevity
    13/20 19/20
    Today Posts
    1/5 ssss34869
    Better solution: turn history off. They can't sniff data that isn't there in the first place Chrome doesn't let you do this, but you can erase it and make the "History" and "History-journal" files in your profile directory read-only.

    Note that I haven't read the paper yet, so this measure may not actually be effective (just like it wasn't for Opera back in '09 without additional settings).
    "Come visit sometime, okay? We'll always be here for you. We... we all love you."
    Reply With QuoteReply With Quote
    Thanks

  8. Who Said Thanks:

    alpacino (11.11.18)

  9. #7
    Renk's Avatar
    Join Date
    17.08.08
    Location
    Elsewhere
    P2P Client
    utorrent
    Posts
    505
    Activity Longevity
    3/20 18/20
    Today Posts
    0/5 ssssss505
    Quote Originally Posted by anon View Post
    Better solution: turn history off. They can't sniff data that isn't there in the first place Chrome doesn't let you do this, but you can erase it and make the "History" and "History-journal" files in your profile directory read-only.

    Note that I haven't read the paper yet, so this measure may not actually be effective (just like it wasn't for Opera back in '09 without additional settings).
    In about:config I set the pref. browser.sessionhistory.max_entries to 10 (default is 50!), and I use a CanvasBlocker feature to protect history. In doing so, I can revisit any of the last ten pages visited, but clicking on the tab "History" always shows a blank. I think/hope this immunizes me against the attack, but I have no proof of that. And I don't know any test site using these last sniffing methods to test what's is efficient, and what's is not.
    Reply With QuoteReply With Quote
    Thanks

  10. Who Said Thanks:

    anon (13.11.18)

  11. #8
    Elite Sazzy's Avatar
    Join Date
    13.04.10
    Posts
    1,781
    Activity Longevity
    7/20 15/20
    Today Posts
    2/5 sssss1781
    Quote Originally Posted by anon View Post
    Better solution: turn history off. They can't sniff data that isn't there in the first place Chrome doesn't let you do this, but you can erase it and make the "History" and "History-journal" files in your profile directory read-only.

    Note that I haven't read the paper yet, so this measure may not actually be effective (just like it wasn't for Opera back in '09 without additional settings).
    i love the concept of firefox focus on android. You open the browser, a clean instance appears, you do your thing, swipe it away and it automatically erases everything you've just done. You open it again later, clean instance! Which also makes it lightweight and fast.
    Last edited by Sazzy; 11.11.18 at 01:53.
    g̺̗͙̺l̜̜i͖̦͇̙t͕̲̜c͇̮͕̺̩͎̰̜h͕̦̘
    Reply With QuoteReply With Quote
    Thanks

  12. Who Said Thanks:

    Lucius (13.11.18) , anon (13.11.18)

  13. #9
    Renk's Avatar
    Join Date
    17.08.08
    Location
    Elsewhere
    P2P Client
    utorrent
    Posts
    505
    Activity Longevity
    3/20 18/20
    Today Posts
    0/5 ssssss505
    Quote Originally Posted by Sazzy View Post
    i love the concept of firefox focus on android. You open the browser, a clean instance appears, you do your thing, swipe it away and it automatically erases everything you've just done. You open it again later, clean instance! Which also makes it lightweight and fast.
    I don't have FF on Android. Insn't the behavior you describe the same than using private mode with desktop FF?
    Reply With QuoteReply With Quote
    Thanks

  14. #10
    Advanced User alpacino's Avatar
    Join Date
    19.03.09
    Location
    locked in Alchemilla Hospital
    P2P Client
    none, just the toolz
    Posts
    1,841
    Activity Longevity
    5/20 17/20
    Today Posts
    3/5 sssss1841
    Oh dear! Time to separate tracker and sb-i activity again. Hahahaha. Not that I ever stopped doing that.
    God help us all if RED or anything like that starts using this now.
    it's hip to be square
    Reply With QuoteReply With Quote
    Thanks

  15. Who Said Thanks:

    anon (13.11.18)

  16. #11
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    34,869
    Activity Longevity
    13/20 19/20
    Today Posts
    1/5 ssss34869
    Quote Originally Posted by Renk View Post
    In about:config I set the pref. browser.sessionhistory.max_entries to 10 (default is 50!), and I use a CanvasBlocker feature to protect history. In doing so, I can revisit any of the last ten pages visited, but clicking on the tab "History" always shows a blank. I think/hope this immunizes me against the attack, but I have no proof of that. And I don't know any test site using these last sniffing methods to test what's is efficient, and what's is not.
    That's a good method and the one I use on both Firefox and Opera (where the amount of tabs is hardcoded to 100, but canvas functionality can be disabled at opera:config). Note that those closed tabs are part of your browser session, so they are remembered across restarts and so is the data inside them, as controlled by browser.sessionstore.privacy_level.

    A proof of concept or test site for these new attacks would be good, yes.

    Quote Originally Posted by Sazzy View Post
    i love the concept of firefox focus on android. You open the browser, a clean instance appears, you do your thing, swipe it away and it automatically erases everything you've just done. You open it again later, clean instance! Which also makes it lightweight and fast.
    With some exceptions (e.g. keeping autologin for trusted sites, dealing with large data blobs in Chrome), I see no reason not to apply this paradigm to all surfing.

    Quote Originally Posted by Renk View Post
    I don't have FF on Android. Insn't the behavior you describe the same than using private mode with desktop FF?
    Apparently it is, but the interface is engineered to "focus" on one site at a time and avoid distractions. No tabs, no bookmarks and very limited configuration.

    https://www.guidingtech.com/firefox-...ld-you-switch/

    Quote Originally Posted by alpacino View Post
    Oh dear! Time to separate tracker and sb-i activity again. Hahahaha. Not that I ever stopped doing that.
    God help us all if RED or anything like that starts using this now.
    Announcements - BitTorrent Talk

    2009 was so much fun, now that almost a decade has passed and most of the trackers that banned us don't even exist anymore. In hindsight, we learned a lesson about computer security the hard way

    Also, that announcement is really showing its age...

    Also², Redacted is the next What.cd, so I expect them to be hard at work with this as we speak
    "Come visit sometime, okay? We'll always be here for you. We... we all love you."
    Reply With QuoteReply With Quote
    Thanks

  17. Who Said Thanks:

    alpacino (Yesterday)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188