Thursday, 29 October 2015

New Browser-Attack Reveals Surfing Behavior On Websites

One researcher has demonstrated a new browser attack that websites can retrieve the browsing habits of visitors, as well as the browsing history before the user is deleted. The attack uses HTTP Strict Transport Security (HTST) and Content Security Policy (CSP).

HSTS allows websites visited to visit via HTTPS only over HTTPS, even though HTTP is introduced into the address bar.The browser in this case captures the user's command and turns off automatically in HTTPS. CSP is a measure to prevent cross-site scripting. The attack this weekend during the ToorCon conference was demonstrated by researcher Yan Zhu(pdf).


In order to carry out the attack must embed a malicious page images from a website-HSTS. However, the browser will attempt to load the images via HTTP. CSP is then used to prevent HSTS ensures that they are loaded via HTTPS. In the case CSP an image block this causes an error message. Based on the time it takes for the error message can be determined whether the Internet user HSTS the website from which the image was attempted to load previously visited.

Besides the explanation in her own weblog has Yan Zhu also a demonstration page put online that only works with Chrome and Firefox. Additionally, the HTTPS Everywhere browser plug-in must be disabled. Could be found only previously visited websites that make use HSTS. On Hacker News suggested that websites can avoid the attack by their domain to the HSTS preload ruse to add like. In this case the hardcoded domain name included in the browser so that is visited only via HTTPS. An employee of Mozilla calls it on Reddit a "smart attack" and states that the browser developer looking for a solution.

No comments:

Post a Comment