- From: Nick Doty <npdoty@w3.org>
- Date: Wed, 2 Dec 2015 16:50:26 -0800
- To: Keiji Takeda <tkeiji@w3.org>
- Cc: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Received on Thursday, 3 December 2015 00:50:34 UTC
Thanks for sharing that with the list; it's an interesting challenge. I was under the impression that it didn't work in recent builds of Firefox specifically because Firefox didn't allow a CSP policy that required HTTP-only access. Does anyone know if that's still correct? Is that a general solution that could be deployed to other browsers? More generally, though, it seems like we should pro-actively consider other attacks that might be like this. What are the privacy implications of features like HSTS or others where a header during one visit changes future behavior? Should we just try to move as much HSTS into pre-load lists rather than by headers on a visit? Or are there timing variations that should be made (in implementations individually, or it could even be by spec) that will mitigate against this kind of attack? ―Nick > On Dec 2, 2015, at 8:04 AM, Keiji Takeda <tkeiji@w3.org> wrote: > > I think this is worth sharing here. > > Sniffly (presented at ToorCon2015 by yan zhu/MIT) abuses HSTS and CSP to > steal browser history. > > Sniffy: > https://github.com/diracdeltas/sniffly > > Presentation: > https://zyan.scripts.mit.edu/presentations/toorcon2015.pdf > > Demo(tries to show sites you visited): > http://zyan.scripts.mit.edu/sniffly/ > > Keiji >
Received on Thursday, 3 December 2015 00:50:34 UTC