RE: Browser Fingerprinting using HSTS and CSP from Mike O'Neill on 2015-12-03 (public-privacy@w3.org from October to December 2015)

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Thu, 3 Dec 2015 09:45:40 -0000
To: "'Nick Doty'" <npdoty@w3.org>, "'Keiji Takeda'" <tkeiji@w3.org>
Cc: "'public-privacy $W3C mailing list$'" <public-privacy@w3.org>
Message-ID: <102001d12daf$5f45ed40$1dd1c7c0$@baycloud.com>

I think the attack is about measuring the time delay between a CSP blocked
XHR request and the resulting oneeror, then detecting whether a site had
been visited by measuring a short delay (because the url would be cached).
We could recommend that the UA inserts a random ~100ms-ish delay before
triggering events from CSP blocked requests. It only needs to be there for
cross-origin ones.

The only difference I know about for CSP support in Firefox is that they do
not currently support CSPs in meta tags, but I believe that is about to be
released anyway.

-----Original Message-----
From: Nick Doty [mailto:npdoty@w3.org] 
Sent: 03 December 2015 00:50
To: Keiji Takeda <tkeiji@w3.org>
Cc: public-privacy (W3C mailing list) <public-privacy@w3.org>
Subject: Re: Browser Fingerprinting using HSTS and CSP

Thanks for sharing that with the list; it's an interesting challenge.

I was under the impression that it didn't work in recent builds of Firefox
specifically because Firefox didn't allow a CSP policy that required
HTTP-only access. Does anyone know if that's still correct? Is that a
general solution that could be deployed to other browsers?

More generally, though, it seems like we should pro-actively consider other
attacks that might be like this. What are the privacy implications of
features like HSTS or others where a header during one visit changes future
behavior? Should we just try to move as much HSTS into pre-load lists rather
than by headers on a visit? Or are there timing variations that should be
made (in implementations individually, or it could even be by spec) that
will mitigate against this kind of attack?

―Nick

> On Dec 2, 2015, at 8:04 AM, Keiji Takeda <tkeiji@w3.org> wrote:
> 
> I think this is worth sharing here.
> 
> Sniffly (presented at ToorCon2015 by yan zhu/MIT) abuses HSTS and CSP to
> steal browser history.
> 
> Sniffy:
>     https://github.com/diracdeltas/sniffly
> 
> Presentation:
>     https://zyan.scripts.mit.edu/presentations/toorcon2015.pdf
> 
> Demo(tries to show sites you visited):
>     http://zyan.scripts.mit.edu/sniffly/
> 
> Keiji
>

Received on Thursday, 3 December 2015 09:46:17 UTC