+ Reply to Thread
Results 1 to 11 of 11

Thread: New Sniffing Methods Expose Your Browsing History

  1. #1
    Advanced User Renk's Avatar
    Join Date
    17.08.08
    Location
    Elsewhere
    P2P Client
    utorrent
    Posts
    581
    Activity Longevity
    0/20 19/20
    Today Posts
    0/5 ssssss581

    New Sniffing Methods Expose Your Browsing History

    Sniffing browser's history is not new. But recently researchers have found new ways to perform it, allowing a high sniffing rate

    The faster the attack, the longer the list of target sites an attacker can ‘sniff’ in a reasonable amount of time. The fastest history sniffing attacks have reached rates of thousands of URLs tested per second, allowing attackers to quickly put together detailed profiles of web surfers’ online activity.

    All the tested browsers (even Brave) but TBB are vulnerable to these attacks, Chrome being the most vulnerable of all:

    All of the attacks the researchers developed in their WOOT 2018 paper worked on Google Chrome. Two of the attacks also worked on a range of other browsers, from Mozilla Firefox to Microsoft Edge, as well various security-focused research browsers. The only browser which proved immune to all of the attacks is the Tor Browser, which doesn’t keep a record of browsing history in the first place.
    https://www.helpnetsecurity.com/2018...-to-attackers/



    On Firefox, it is said in the paper that turning the pref layout.css.visited_links_enabled to false should solve the issue but in fact, doesn't.
    Last edited by Renk; 06.11.18 at 03:15.
    Reply With QuoteReply With Quote
    Thanks

  2. Who Said Thanks:

    Lucius (13.11.18) , alpacino (11.11.18) , anon (07.11.18) , RapNatioNs (06.11.18) , H265 (06.11.18)

  3. #2

    Join Date
    17.10.18
    Location
    UAE - Dubai
    P2P Client
    uTorrent
    Posts
    12
    Activity Longevity
    0/20 7/20
    Today Posts
    0/5 sssssss12
    Whenever we think that we are safe then it happens.
    Kind of scary that how unsafe we are on the internet. And then of course professional people like you tell us how to be secured.
    I'm loving this community as a family.
    Reply With QuoteReply With Quote
    Thanks

  4. #3
    Moderator
    Instab's Avatar
    Join Date
    18.09.09
    Posts
    6,660
    Activity Longevity
    5/20 17/20
    Today Posts
    0/5 sssss6660
    The attacks the researchers developed, in the form of JavaScript code
    just keep js off as always
    Your account has been disabled.
    Reply With QuoteReply With Quote
    Thanks

  5. #4
    Advanced User Renk's Avatar
    Join Date
    17.08.08
    Location
    Elsewhere
    P2P Client
    utorrent
    Posts
    581
    Activity Longevity
    0/20 19/20
    Today Posts
    0/5 ssssss581
    Quote Originally Posted by Instab View Post
    just keep js off as always
    Theoretically yes but (too) many site today are losing functionalities without javascript. Moreover blocking javascript uglifies them a lot. Your advice works (and is likely the most efficient advice) but it requires too much discipline and perseverance for, says, 90% of the users.
    Reply With QuoteReply With Quote
    Thanks

  6. #5
    Moderator
    Instab's Avatar
    Join Date
    18.09.09
    Posts
    6,660
    Activity Longevity
    5/20 17/20
    Today Posts
    0/5 sssss6660
    sure, there's no proper solution for the masses until the browsers fix this.
    Your account has been disabled.
    Reply With QuoteReply With Quote
    Thanks

  7. #6
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    39,385
    Activity Longevity
    11/20 19/20
    Today Posts
    4/5 ssss39385
    Better solution: turn history off. They can't sniff data that isn't there in the first place Chrome doesn't let you do this, but you can erase it and make the "History" and "History-journal" files in your profile directory read-only.

    Note that I haven't read the paper yet, so this measure may not actually be effective (just like it wasn't for Opera back in '09 without additional settings).
    "I just remembered something that happened a long time ago."
    Reply With QuoteReply With Quote
    Thanks

  8. Who Said Thanks:

    alpacino (11.11.18)

  9. #7
    Advanced User Renk's Avatar
    Join Date
    17.08.08
    Location
    Elsewhere
    P2P Client
    utorrent
    Posts
    581
    Activity Longevity
    0/20 19/20
    Today Posts
    0/5 ssssss581
    Quote Originally Posted by anon View Post
    Better solution: turn history off. They can't sniff data that isn't there in the first place Chrome doesn't let you do this, but you can erase it and make the "History" and "History-journal" files in your profile directory read-only.

    Note that I haven't read the paper yet, so this measure may not actually be effective (just like it wasn't for Opera back in '09 without additional settings).
    In about:config I set the pref. browser.sessionhistory.max_entries to 10 (default is 50!), and I use a CanvasBlocker feature to protect history. In doing so, I can revisit any of the last ten pages visited, but clicking on the tab "History" always shows a blank. I think/hope this immunizes me against the attack, but I have no proof of that. And I don't know any test site using these last sniffing methods to test what's is efficient, and what's is not.
    Reply With QuoteReply With Quote
    Thanks

  10. Who Said Thanks:

    anon (13.11.18)

  11. #8
    Quote Originally Posted by anon View Post
    Better solution: turn history off. They can't sniff data that isn't there in the first place Chrome doesn't let you do this, but you can erase it and make the "History" and "History-journal" files in your profile directory read-only.

    Note that I haven't read the paper yet, so this measure may not actually be effective (just like it wasn't for Opera back in '09 without additional settings).
    i love the concept of firefox focus on android. You open the browser, a clean instance appears, you do your thing, swipe it away and it automatically erases everything you've just done. You open it again later, clean instance! Which also makes it lightweight and fast.
    Last edited by Sazzy; 11.11.18 at 01:53.
    g̺̗͙̺l̜̜i͖̦͇̙t͕̲̜c͇̮͕̺̩͎̰̜h͕̦̘
    Reply With QuoteReply With Quote
    Thanks

  12. Who Said Thanks:

    Lucius (13.11.18) , anon (13.11.18)

  13. #9
    Advanced User Renk's Avatar
    Join Date
    17.08.08
    Location
    Elsewhere
    P2P Client
    utorrent
    Posts
    581
    Activity Longevity
    0/20 19/20
    Today Posts
    0/5 ssssss581
    Quote Originally Posted by Sazzy View Post
    i love the concept of firefox focus on android. You open the browser, a clean instance appears, you do your thing, swipe it away and it automatically erases everything you've just done. You open it again later, clean instance! Which also makes it lightweight and fast.
    I don't have FF on Android. Insn't the behavior you describe the same than using private mode with desktop FF?
    Reply With QuoteReply With Quote
    Thanks

  14. #10
    Advanced User alpacino's Avatar
    Join Date
    19.03.09
    Location
    locked in Alchemilla Hospital
    P2P Client
    none, just the toolz
    Posts
    2,059
    Activity Longevity
    5/20 18/20
    Today Posts
    1/5 sssss2059
    Oh dear! Time to separate tracker and sb-i activity again. Hahahaha. Not that I ever stopped doing that.
    God help us all if RED or anything like that starts using this now.
    it's hip to be square
    Reply With QuoteReply With Quote
    Thanks

  15. Who Said Thanks:

    anon (13.11.18)

  16. #11
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    39,385
    Activity Longevity
    11/20 19/20
    Today Posts
    4/5 ssss39385
    Quote Originally Posted by Renk View Post
    In about:config I set the pref. browser.sessionhistory.max_entries to 10 (default is 50!), and I use a CanvasBlocker feature to protect history. In doing so, I can revisit any of the last ten pages visited, but clicking on the tab "History" always shows a blank. I think/hope this immunizes me against the attack, but I have no proof of that. And I don't know any test site using these last sniffing methods to test what's is efficient, and what's is not.
    That's a good method and the one I use on both Firefox and Opera (where the amount of tabs is hardcoded to 100, but canvas functionality can be disabled at opera:config). Note that those closed tabs are part of your browser session, so they are remembered across restarts and so is the data inside them, as controlled by browser.sessionstore.privacy_level.

    A proof of concept or test site for these new attacks would be good, yes.

    Quote Originally Posted by Sazzy View Post
    i love the concept of firefox focus on android. You open the browser, a clean instance appears, you do your thing, swipe it away and it automatically erases everything you've just done. You open it again later, clean instance! Which also makes it lightweight and fast.
    With some exceptions (e.g. keeping autologin for trusted sites, dealing with large data blobs in Chrome), I see no reason not to apply this paradigm to all surfing.

    Quote Originally Posted by Renk View Post
    I don't have FF on Android. Insn't the behavior you describe the same than using private mode with desktop FF?
    Apparently it is, but the interface is engineered to "focus" on one site at a time and avoid distractions. No tabs, no bookmarks and very limited configuration.

    https://www.guidingtech.com/firefox-...ld-you-switch/

    Quote Originally Posted by alpacino View Post
    Oh dear! Time to separate tracker and sb-i activity again. Hahahaha. Not that I ever stopped doing that.
    God help us all if RED or anything like that starts using this now.
    Announcements - BitTorrent Talk

    2009 was so much fun, now that almost a decade has passed and most of the trackers that banned us don't even exist anymore. In hindsight, we learned a lesson about computer security the hard way

    Also, that announcement is really showing its age...

    Also², Redacted is the next What.cd, so I expect them to be hard at work with this as we speak
    "I just remembered something that happened a long time ago."
    Reply With QuoteReply With Quote
    Thanks

  17. Who Said Thanks:

    Renk (10.02.19) , alpacino (14.11.18)

+ Reply to Thread

Tags for this Thread

Posting Permissions

  • You may post new threads
  • You may post replies
  • You may not post attachments
  • You may not edit your posts
  •