Wednesday, 28 February 2018

Veil System: Researchers Make Private Browsing More Private


All modern browsers now have private browsing, a function that ensures that the surfing behavior is not stored on the computer. However, the information that is accessed during private browsing can still be retrieved from the computer by a motivated attacker. Reason for researchers from MIT and Harvard to develop a new system called Veil that should make private browsing more private.

Browsers should delete all stored data after closing a private browsing session. However, modern memory management is complex and can ensure that data is left in the memory somewhere. Veil tries to tackle this problem by encrypting all data that the browser loads into memory until it is displayed on the screen.

The use of Veil

To use Veil, the Veil user goes to the Veil website and enters the url of a website. A special "blinding server" then sends a version of the requested page in the Veil format. The Veil page is similar to a normal web page, but contains code that executes a decryption algorithm. The data on the page is unreadable until it is decrypted by the algorithm. Once the data has been decrypted, it must be loaded into the computer's memory to be displayed on the screen. This temporarily stored data should be much harder to trace when the browsing session is over.

In order not to give attackers a chance, Veil takes an additional security measure. The blinding server adds meaningless code to every loaded page. This code has no effect on how the page before the user looks, but does change the underlying source file. Every page that is loaded by a blinding server, even if it is the same page, looks different. An attacker who manages to obtain part of the decrypted code after closing a Veil session is therefore unlikely to say which website the user visited.

When these measures are not enough, Veil also offers the option to have the blinding server take a picture of the requested page. In this case, the blinding server opens the requested page, makes a screenshot of it and sends it to the user. This prevents executable code from ending up on the user's system. If the user then clicks on the image somewhere, the browser registers this and sends the new request to the blinding server, which then loads a new zoomed image and sends it back to the user.In order to use the system, websites do have to create a Veil version of their website, but the researchers have developed a compiler for this that automatically performs the conversion. A bigger challenge is hosting the blinding servers, which can be done by volunteers, as is the case with the Tor network, or by companies that, for example, want to offer their visitors more privacy. No adjustments to the browser are required for the implementation of Veil.

No comments:

Post a Comment