W3C home > Mailing lists > Public > public-privacy@w3.org > October to December 2015

Re: Browser Fingerprinting using HSTS and CSP

From: Nick Doty <npdoty@w3.org>
Date: Wed, 2 Dec 2015 16:50:26 -0800
Cc: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Message-Id: <8B97A094-CF1B-46FB-8C6D-8D52A85F51FF@w3.org>
To: Keiji Takeda <tkeiji@w3.org>
Thanks for sharing that with the list; it's an interesting challenge.

I was under the impression that it didn't work in recent builds of Firefox specifically because Firefox didn't allow a CSP policy that required HTTP-only access. Does anyone know if that's still correct? Is that a general solution that could be deployed to other browsers?

More generally, though, it seems like we should pro-actively consider other attacks that might be like this. What are the privacy implications of features like HSTS or others where a header during one visit changes future behavior? Should we just try to move as much HSTS into pre-load lists rather than by headers on a visit? Or are there timing variations that should be made (in implementations individually, or it could even be by spec) that will mitigate against this kind of attack?

―Nick

> On Dec 2, 2015, at 8:04 AM, Keiji Takeda <tkeiji@w3.org> wrote:
> 
> I think this is worth sharing here.
> 
> Sniffly (presented at ToorCon2015 by yan zhu/MIT) abuses HSTS and CSP to
> steal browser history.
> 
> Sniffy:
>     https://github.com/diracdeltas/sniffly
> 
> Presentation:
>     https://zyan.scripts.mit.edu/presentations/toorcon2015.pdf
> 
> Demo(tries to show sites you visited):
>     http://zyan.scripts.mit.edu/sniffly/
> 
> Keiji
> 


Received on Thursday, 3 December 2015 00:50:34 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 3 December 2015 00:50:35 UTC