Post on 22-Dec-2015
1
Invasive Browser Sniffing and Countermeasures
Aditya Sinha Harshvardhan Kelkar
2
What is this paper about?
Browser Cache/History sniffing Proposed Solution (URL
personalization) Implementation ,costs and security
3
Browser Caches/Browser History
Why use Browser Caches? Where do they reside? Vulnerable to timing based
attacks. What about Browser History?
4
Threats? Phishing attacks Wiki:In computing, phishing is an
attempt to criminally and fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication.
Link Manipulation
5
How?
Spoofing Impersonating Websites
6
AUSTRALIA LOTTO LOTTERY INC. 5th Floor East
Commonwealth Centre55 Currie StreetAdelaide SA 5000,South Australia.
WINNING NOTIFICATION We are delighted to inform you of the result of the E-mail address ballot lottery
draw of the Australian cash-out lotto bv international programme,which took place on the 26th of MAY 2008.This is a computer generated lottery of Internet users using emailaddresses
for draws.
This lotto draw is fully based on an electronic selection of winners using their e-mail addresses from different World Wide Web(www)sites.Your e-mail address attached to ticket number: 275-189-657-23-05 with Serial number 8756-05 drew the lucky numbers and bonus ball number which subsequently won you the lottery in the 2nd category.You have therefore been approved to claim a total sum of US$500,000.00 (five HUNDRED THOUSAND U.S DOLLARS) in cash credit file ref:ILP/HW 47509/02.
7
What happens next??
Social Engineering Detect online Behaviour Its all from the contextual
information.
8
Potential CounterMeasures
Clearing Browser Cache Manually Disable all Caching Limiting Caching on client side Server side solution. (Prevention of
verification by personalization)
9
Client side Vs Server side
Both are complementary. Address problem from different
angles. Server side solution plugs holes
which may arise in a client side solution.
Eg Caching proxy
10
Ways to conceal the Cache
Hide the references to visited websites.
Pollute the references. Authors combined both methods. Internal and entrance URLS. Eg http://test-run.com http://test-run.com/logout.jsp
11
What the Authors did?
Client side: Forcing Cache and History misses
Server side: Plug in solution
12
Implementation Issues
The robots exclusion standard User Agent values eg. “Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.0)” “Mozilla/
5.0(compatible;googlebot/2.1)” Use of Privileges
13
Goals as set by the Authors Fullest possible use of browser caches and
history 1. A service provider SP should be able to prevent
any sniffing of any data related to any of their clients, for data obtained from SP.
2.The above requirement should hold even if caching
proxies are used. 3.Search engines must retain ability to find data
served by SP.
14
How these goals are achieved?
Customization technique for URLS.(Extention)
Cache pollution Hiding vs Obfuscating
15
A Potential attack
16
A formal goal specification
17
We let ‘A’ be an adversary controlling any member of C but C.
‘A’ may post arbitrary requests x and observe the responses.
A goal of ‘A’ is to output a pair (S, x) such that HITC(x) is true.
We say that pi(S) is perfectly privacy-preserving if A will not attain the goal but with a negligible probability
We say that pi(S) is searchable if and only if E can generate a valid response x to the query.
18
Server Side Solution
Similar to middleware The core is a filter What does the filter do? Modification/Customization
19
Pseudonyms Establishing a pseudonym Entrance at the index page. Pseudonyms and temporary pseudonyms are selected
from a sufficiently large space, e.g., of 64-128 bits length.
Pseudonyms are generated pseudorandomly each time any visitor starts browsing at a web site.
Using a Pseudonym Translators domain comes in play Querystring like argument appended to URL
20
Pseudonym validity Check Cookies Http-referer Message authentication codes It is a policy matter to determine what
to do if a pseudonym or temporary pseudonym cannot be established to be valid.
21
Robot policies The same policies do not necessarily apply to
robots and to clients representing human users. one could – use a whitelist approach ie allow
certain robot processes additional privileges. Eg a crawler or a search engine with access to non-pseudonymized data.
Alternately use temporary Pseudonyms. What about other processes? Privacy Agreements between Search engine and
Server.
22
Pollution Policy A client C can arrive at a web site through four means:
typing in the URL, following a bookmark, following a link from a search engine, and by following a link from an external site.
When is C’s Cache polluted? How to choose the pollutants? If S cannot guarantee that all of the sites in its
pollutants list will provide the same list, it must randomize which pollutants it provides.
Example - Translator
C asks for S
Goes to S(t)
S(t) adds p , queries S(b) and replies
Translation Off Site
References Translator – Proxy for the page
Off site References ?
Knowledge from off site references
Two ways to handle it :
Forward to the client
Forward using the same redirection URL
Dont over-use the translator
A translator working on all sites is an open proxy
server !
Redirection
Redirection – is it always necessary ?
Collaborate or Separate sites ?
Collaborate
Use the same translator
More work
Policy to see if needed
Separate
Shows up as internal page
Translation Policies
Off site Redirection Policy – Should redirection
take place through the translator ?
=> Is it safe or unsafe ?
Data Replacement Policy – Should data
redirection take place through the translator ?
Same Question .
=> Flash , Movies , Jpegs
Client Robot Distinction
If we are using artificially intelligent robots to access
sites ? HA ! I wish .
Client Robots means really dumb client applications
eg vlc player , Google Bot , Wget .
Does redirection work in the same way ?
History not affected
Cache affected
Special Cases 1
Akamai – Distributed Content Delivery System
Two ways to handle this
ISP provides the feature to translate to all customers
(web sites) for Akamai
Translator for the web site being accessed
Special Case 2
A =======> B
Redirection between A and B through A's translator .
I don't want to !
Two ways :
Shared – if B “adopts” A's pseudonym
Transfer – if B “accepts and replaces” A's
pseudonym
Cache Pollution Reciprocity
Why create your own mess when you can get Site
Admin's to create mess for you !
A group of site Admin's could “agree” to pollute all
the cache's of all the clients with the same set of
URL's
Security
Internal PagesPseudonym
1. Temporary – So not alive always
2. Shared – Trusted Party
If client is dumb to give it to third party , well then
client's screwed !
If trusted party is not really trustworthy , well everyone's
screwed !
Else pseudonym authenticated !
Security
Entrance Page
Dump Garbage – We are assured of “mess” from Site
Admin's
Searchability
Search Indexing done by “robots”
Already excluded , oblivious to pseudonyms .
Smart clients
Clients can change pseudonyms but WHY !
Translator
Written in Java
Pseudonym's calculated using
java.security.SecureRandom
Using 64 bit random number
Exclude “robot” or “wget”
Parsing in header of HTTP request and response
Algorithm
Get Request from Client
Is pseud present ?
=> If not generate and reply
=> If present , authenticate and reply with same
pseud
If not text//html forward data through redirection
policy
Timing
Not much over head w.r.t time
when “translating” - 1000 times
loop
Cumulative Time
Considerations
Client Agent Type Forwarding
Blind Server knows only the translator agent
Cookies
Client sends cookie only to the server it got it from . If
translator on different domain then it ends up
changing cookies all the time . Not really something
we want to do .
Cookie
Lazy Translation
For static Html pages
Pseudonyms stored at the same place
Administrator can specify before hand
No parsing for translator
Translator very happy
Sample Translation
<a href=’http://www.google.com/’>Go to google</a>
<a href=’http://10.0.0.1/login.jsp’>Log in</a>
<img src=’/images/welcome.gif’>
Sample Translation
The translator replaces any occurrences of the SB ’s
address with its own.
<a href=’http://www.google.com/’>Go to google</a>
<a href=’http://test-run.com /login.jsp’>Log in</a>
<img src=’/images/welcome.gif’>
Sample Translation
Then, based on ST ’s off-site redirection policy, it
changes any off-site (external) URLs to redirect
through itself:
<a href=’http://test-run.com/redir? www.google.com’>
Go to google</a>
<a href=’http://test-run.com/login.jsp’>Log in</a>
<img src=’/images/welcome.gif’>
Sample Translation
Next, it updates all on-site references to use the
pseudonym. This makes all the URLs unique:
<a href=’http://test-run.com/redir?www.google.com?
38fa029f234fadc3 ’> Go to google</a>
<a href=’http://test-run.com/login.jsp?
38fa029f234fadc3 ’>Log in</a>
<img src=’/images/welcome.gif?38fa029f234fadc3 ’>
VOILA !!
Special Thanks
This is a completely stolen piece of
work !
We didn’t do anything except make
the presentation !
All the work done by - Markus
Jakobsson , Sid StammA