Security Now 264

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 264

Security Now 264: Side Channel Privacy Leakage

News & Errata

6:42 - 7:14

  • None this week

7:15 - 9:30

  • Steve likes the new Kindle

Spinrite Story

9:31 - 10:48 John Payne (Atlanta, Georgia)

Spinrite fixed a broken computer

Side Channel Privacy Leaking

13:36 - 01:08:12

  • Cookies have been a long-term problem for many people who object to the idea that in some fashion their actions are being tracked across the Internet.
  • Cookies are used by a website to uniquely identify a user over a period of time
  • For example if you want to remain logged into a website cookies are used


  • What some clever people recognized was that an advertiser who served ads, a so-called "advertising network" who served ads to many thousands of websites across the Internet, also had cookie privileges, so-called third-party cookie privileges.
  • When you go to a site, and that site you go to, whose URL is up in the title bar, that's a first-party cookie because this is the site you're visiting. * But third-party content like advertisements could be served onto the same page.
  • Well, those ads have cookie privileges, so-called third-party cookie privileges.
  • What that means is that even the ad serves your browser a cookie, which is tied to the advertiser's server.
  • If you then visit another website who is using the same advertising network the advertising network knows that you were on the different site earlier
  • Many people object to this


  • It's possible to identify individual digital cameras from non-uniformity in their optical sensors.
  • There's something called "sensor pattern noise" that individual digital camera elements have, that renders individual ones unique, such that, if you look at a number of pictures from different cameras, it's possible, absent any other information, to determine which cameras took which pictures.


  • A web fingerprint, or a browser fingerprint, is information which is escaping from our use of a browser when we search the Internet, which we're not aware of.
  • Every query which our browser makes to a server contains, by definition, as part of the specification of the way the HTTP protocol works for communicating with servers, contains a bunch of headers.
  • One of the other headers which is included in every request that a browser makes to a server, is the user-agent.
  • Another header, also part of every query, is the accept header, which is a way for my browser to say to the server, I'm going to accept the following stuff, the following formats.
  • There's the accept-language header


How effective is this information at identifying individuals ?

  • "Arcot" - claims it is able to ascertain PC clock processor speed along with common browser factors to identify a device.
  • "41st Parameter" - looks at more than 100 parameters and at the core of its algorithm is a time differential parameter that measures the time difference between a user's PC down to the millisecond and a time reference.
  • "ThreatMetrix" - claims that it can detect irregularities in the TCP/IP stack and can pierce through proxy servers.
  • "Iovation" - provides device tagging (through LSO - Local Shared Objects) and clientless fingerprinting and operates a "reputation database" which maintains data on millions of PCs.


  • The EFF Panopticlick Experiment:
  • During the course of the first half year, this Panopticlick.EFF.org website was visited by 470,161 web browsers, so a little over 470,000 web browsers, just shy of half a million.
  • The code which the Panopticlick site ran in people's browsers and also collected passively from their browser

Panopticlick collected:

  • User-Agent:
  • Http Accept:
  • Cookies Enabled?
  • Screen Resolution (via Javascript)
  • Timezone (via Javascript)
  • Browser Plugins & versions (via Javascript)
  • System font enumeration (Flash or Java applet + Javascript)


  • Browsers without Flash or Java:
  • 83.6% of the browsers seen had an instantaneously unique fingerprint.
  • Of those that did not, 5.3% were only one of two identical browsers.
  • 18.1 bits of Entropy - 1 in every 286,777 browsers.


  • Browsers with Flash or Java:
  • 94.2% of browsers were instantaneously unique
  • And among non-unique browsers, 4.8% were only seen twice.
  • 18.8 bits of entropy - 1 in 456,419
  • Only 1.0% of browsers with Flash or Java had anonymity sets larger than two.


  • Browser fingerprints evolve over time, but not different enough to prevent tracking the evolution.
  • Of the 8,833 browsers that accepted cookies and returned to panopticlick several times over a period of more than 24 hours, 37.4% exhibited at least one fingerprint change... .
  • 99.1% of guesses about changing fingerprints were correct.
  • Only 0.86% false positive rate.


Explicit Channels:

  • HTTP Browser Cookies
  • Adobe Flash "Super Cookies"
  • LSO - Local Shared Objects


Side Channels:

  • Browser Query Leakage:
  • HTTP Accept: Header
  • Micro Version information
  • Cookies enabled (or not)
  • Scripts enabled (or not)
  • Images enabled (or not)
  • HTTP User-Agent:
  • Fake HTTP User-Agent:
  • CSS visited links
  • Screen resolution & color depth
  • Browser plug-in enumeration
  • Timezone
  • System Font Enumeration & Enumeration order
  • Windows network MAC interface
  • ShieldsUP! could often see it - something local *definitely* can
  • Browser cache content
  • ASN Number - Autonomous System Number (network owner)
  • IP Most Significant Bytes
  • System Clock Skew
  • TCP/IP Stack Fingerprinting


  • Note that MOST of the more powerful side-channel attacks require more than a purely passive client... they need scripting, Flash or Java.


Countermeasures:

  • Paradoxically, can be more "identifying" than not.  :)
  • Since "incremental" changes are trackable, change as much as possible ALL AT ONCE.


Cookie Regeneration:

  • Fingerprint + IP, etc. to reform or merge old and new cookies
  • IP, subnet, ASN, etc.
  • Sequence:
  • You're cruising around and DoubleClick.net is tracking by 3rd party cookie *and* simultaneously fingerprinting. You wash your system clean of cookies
  • But you step back out onto the Net with the same FINGERPRINT, touch a site with Doubleclick... and cookies are instantly regenerated and re-linked.


The conclusion?

  • For now, don't worry about it.
  • Instead, understand what's being done and BEHAVE accordingly.
  • But... Resistance is NOT futile. Doing what you can is still worthwhile.

Sponsors

Astaro

Production Information

  • Edited by: Tony
  • Notes:
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.