Does NoScript prevent the type history sniffing mentioned?

[scripteze]

Some of you may've seen something on the news or a relatively few sites mentioning the "latest" method to sniff user history, in most browsers out there.
Though the site lists this under security category, it's probably privacy: http://arstechnica.com/security/2014/06/theyre-ba-ack-browser-sniffing-ghosts-return-to-haunt-chrome-ie-firefox/

This "new discovery" is apparently coming off the bug filed on Mozilla a yr ago, which saw no action (it's only a privacy issue, that should make advertisers, trackers very happy - if they can exploit it).
Some more advanced members here can look over the bug report explanation of how the exploits work & see if NS (or other methods) prevent it - short of not keeping history.
There are 2 methods listed.
https://bugzilla.mozilla.org/show_bug.cgi?id=884270#c2

Paul Stone 2013-06-28 04:00:57 PDT

I will be talking about this issue and similar ones in IE and Chrome next month at Black Hat.
This is rated as low impact

... From what perspective? That it's not a critical security hole? Sorta depends on what sites / trackers ultimately figure out what can be done w/ this info, added to what else they can glean off the same machine.

If NS blocks the ability to exploit this - fine. If not, guess you can use private browsing or clear your history a lot (addon - automatically clear history for site(s) when tab's closed?).

EDIT: In bugzilla report - exploit explanation: "If the link is visited, the browser will redraw the elements as :visited."
Since the browser has already loaded the elements included on a page (from the server), why does the browser need to share w/ the site that it is "redrawing" the elements as visited?
Couldn't that redrawing be internal to a browser? (I may be showing my ignorance by asking).
End EDIT.
**********************

Not being able to see which sites, pages, articles you've visited is a pain, sometimes. I forget & wind up loading the same things.
But if keeping history means sites (perhaps) may be able to see, or "infer" your history, I guess adjustments will be needed.

Is using the web somewhat like being intimate wearing a full hazmat suit & 3 layers of condoms?

[Sam]

This attack relies on JavaScript to do the timing, so NoScript protects us unless we allow JS on the site.

You can also just disable history without going full private browsing mode.

What concerns me more is the SVG timing attack described in Paul Stone's video found listed in your link. I'm starting again to consider disabling SVG but... dunno.
Still, even the SVG attack requires JS to measure time.

[barbaz]

The PoC on the linked bug didn't give me correct results at all...

If it all depends on window.requestAnimationFrame and/or other properties of the window object, this attack can be easily blocked with an early user script that effectively removes those properties...

Code: Select all

Object.defineProperty(window, "requestAnimationFrame", {set:function(){}});

[therube]

You ? (mozillazine) student discovers way to sniff Firefox history.

[scripteze]

You ? (mozillazine)

Yeah.

[scripteze]

I'm not that familiar w/ SVG attacks. I'm not a big coder, so some of the explanation from the link named "browser-timing attack disclosed last year," in the arstechnica article, is over my head.

I browsed quickly at some of the mozilla addons to automatically delete (or expire) history. Didn't look at all of them - most are manual, but one can be set to delete "older than."
https://addons.mozilla.org/en-US/firefo ... s/reviews/

Like I said, it's kindof a pain to not see where you went. When shopping or doing research, no telling how many pages or articles people may visit in 1 - 3 days.

[barbaz]

With a complete list of exploitable functions, I could probably post a NoScript surrogate to block this attack completely. replacement pref would be a series of Object.defineProperty calls like above, and sources pref would be

Code: Select all

@^https?://

[scripteze]

I would think it'd be a feather in NoScript's cap if someone came up w/ a fix against history sniffing. I guess there are 2 main types (for now). The ones described on bugzilla & the one published by the Belgium university student. I don't quite understand if they (the 3 total methods) are similar enough to be called one basic way or 3 distinctly different ways.

Regarding the comment to turn off java script to thwart history sniffing: always good advice, but just in the last 6 mo, I'm noticing more & more sites using js extensively. Many won't even load correctly w/o it and / or cookies enabled (even if not logging in). Many basic menus won't work w/o js, plain old jpg images won't load & fewer sites have downloads that work w/o js enabled. Plus, much more.

[Sam]

@barbaz: A surrogate on requestAnimationFrame and other timing JS functions should fix any concern against timing attacks as they are done now, but I guess some guys will eventually just send a request to a distant server so it does the timing remotely, won't they? The method will suck because network latency will make things unpredictable, but I wouldn't make the bet that they won't figure something out

But timing functions are essential to gaming. It would be overkill to make surrogates for those and ship them with NoScript...


@scripteze: I don't have a need for the history to begin with so this isn't a problem for me. I use bookmarks, panorama and a long list of recently closed tabs and that's enough. Maybe you too can find an organisation method that suits you and allows you to disable History ?

But history sniffing is a drop in the ocean. As long as you enable Javascript you expose yourself to anything, it doesn't matter how much browser vendors patch the holes, the attack surface is getting bigger and bigger as they strive to add features. And adding features is a good thing, don't get that wrong, but they will always be behind, especially regarding privacy issues which are much less obvious to fix than security ones in a context where you have to add new cool features on a bi-monthly basis.
Firefox is the way to go for privacy concerns but it's not good enough that you can just go around with Javascript and storage like cookies allowed globally, not by a long shot.

If privacy is a serious concern to you, my advice is to only use "temporarily allow...", and the add-ons Cookie Controller and Adblock Plus (with EasyPrivacy). I never need JavaScript unless I'm going to seriously interact with a site instead of just reading it, so it seems usable. It's actually arguably more pleasant to use the web this way. No slow downs due to unwarranted use of JS by untold numbers of useless third-parties, your sight is more rarely blocked by random crap, etc

[barbaz]

@barbaz: A surrogate on requestAnimationFrame and other timing JS functions should fix any concern against timing attacks as they are done now, but I guess some guys will eventually just send a request to a distant server so it does the timing remotely, won't they? The method will suck because network latency will make things unpredictable, but I wouldn't make the bet that they won't figure something out

Then those requests can be blocked with a tool like NoScript's ABE or Adblock Plus.

But timing functions are essential to gaming. It would be overkill to make surrogates for those and ship them with NoScript...

I'm not saying that such a surrogate should ship with NS, just that there could be at least one way to prevent this type of attack without completely disabling JS.
You could, of course, modify the sources regex to exclude sites that don't attack you and where you need the otherwise zapped functions...

[Sam]

Then those requests can be blocked with a tool like NoScript's ABE or Adblock Plus.

Yes, although that can only work when you know what to block. So it means you only allow JS on a small number of sites that you trust.

I'm not saying that such a surrogate should ship with NS, just that there could be at least one way to prevent this type of attack without completely disabling JS.
You could, of course, modify the sources regex to exclude sites that don't attack you and where you need the otherwise zapped functions...

Yes that would clearly work for an educated user who knows he blocked the JS timing functions. But again that would only work until another method that uses some other Javascript function begins to be used, such as the one described above... I mean, my point is just that allowing JS globally when you care about privacy is crazy

Eventually, allowing all first party JS might be fine-ish in that risks are reduced a lot unless you visit Facebook or Google owned sites. But you're still open to both attacks described in the thread (unless you block requestAnimationFrame) and a number of others that I know nothing of (and for which we can't know what to block), it's just that much less attackers can target you if third parties don't have JS.

Allowing Facebook, Google, big news sites and the likes other than temporarily is exposing yourself to one of the most prominent adversaries to privacy that you can find. (with actual ad networks and of course good ol' NSA)

[scripteze]

But history sniffing is a drop in the ocean. As long as you enable Javascript you expose yourself to anything, it doesn't matter how much browser vendors patch the holes, the attack surface is getting bigger and bigger as they strive to add features. And adding features is a good thing, don't get that wrong, but they will always be behind, especially regarding privacy issues

That's true. It's likely that browsers (using current coding & hardware technology) are like the Roman Empire at its height: much too large & complicated - spread out every where, to be effectively controlled or defended. When you think about it, the concept of a web page being able to carry out malicious or invasive actions, just by loading their page, is pretty insane.

Why don't hackers / advertisers infect wireless TV transmissions & start showing pop up ads? Every week when Sam, barbaz & therube watch Vampire Diaries & The Bachelorette & re-runs of Buffy The Vampire Slayer, their TV gets a virus.
I know the answer - just making a point as to the absurdity of how poorly computers, OSes, hardware / software are designed for preventing unauthorized infection.

If privacy is a serious concern to you, my advice is to only use "temporarily allow...", and the add-ons Cookie Controller and Adblock Plus (with EasyPrivacy). I never need JavaScript unless I'm going to seriously interact with a site instead of just reading it, so it seems usable. It's actually arguably more pleasant to use the web this way. No slow downs due to unwarranted use of JS by untold numbers of useless third-parties, your sight is more rarely blocked by random crap, etc.

*Never needing js: I'm not sure how you do it, unless mostly reading blogs, etc. Forums, banks, financial, med. & Rx insurance accts, credit cards - most all "important" stuff - all require js to use the site. I'm not talking about 1 or 2 non-critical things on sites not working - rather, can't do business at all.

* True, but "temporarily allowing"... IS allowing one time & that's all it may take. And too many sites require it on their domain & often 1 or 2 others - and # of sites requiring scripts from multiple domains are growing rapidly.
But, yes, only allowing esp. 3rd party scripts once, on a site you do business with, is better than allowing it globally. An issue that users should be up in arms about: some sites have had contracted 3rd party content providers including code in their scripts, doing things that the sites never knew about or agreed to. Or so they say, when someone discovers it. Apparently, there are few rules regulating such & thus, no recourse. Web's like the Wild, Wild West.

* Do you like Cookie Controller better than Cookie Monster? I've read a fair bit about CC, but not used it. I asked a couple questions of the dev - that didn't completely answer. Also, NO PRIVACY POLICY & no response from dev concerning to one. A big issue w/ any browser addon today, IMO. Mozilla should force AMO addons to have policies, that cover all the important areas.

[Sam]

It's likely that browsers (using current coding & hardware technology) are like the Roman Empire at its height: much too large & complicated - spread out every where, to be effectively controlled or defended.
[...]
the absurdity of how poorly computers, OSes, hardware / software are designed for preventing unauthorized infection.

I'd take the opposite stance in that if you are a savvy user you can protect yourself on computers. You can't protect your TV as far as I know even though they seem to have some sort internet access nowadays. But I don't know the specifics, I barely ever watch TV except for Vampire Diaries, The Bachelorette and re-runs of Buffy The Vampire Slayer

Regarding mobiles I have no clue how to secure them properly, let alone ensuring privacy. They're leaking network requests all over the place whereas on a computer you can lock down everything and allow only Firefox if you want.

*Never needing js: I'm not sure how you do it, unless mostly reading blogs, etc. Forums, banks, financial, med. & Rx insurance accts, credit cards - most all "important" stuff - all require js to use the site. I'm not talking about 1 or 2 non-critical things on sites not working - rather, can't do business at all.

For banking and other crucial tasks, one would have to think in terms of identities and manage the various fingerprints they can leave based on the task they're doing. That requires knowing what kind of fingerprints we leave and what countermeasures can be reasonably taken without hampering usability too much.

Also, never do banking on your main Firefox profile. You should have a profile dedicated only to this task. (Of course also make sure your computer is secured too, not just Firefox )

* True, but "temporarily allowing"... IS allowing one time & that's all it may take.

For security holes yes, potentially. For privacy issues you can manage your identities and if you know which is which and don't make mistakes (because your organisation is good enough), then a compromised identity may not endanger the others. There's no way you can do that on mobile though...

* Do you like Cookie Controller better than Cookie Monster?

I've used Cookie Monster for years but ended up changing because of a lack of updates and because it controls only cookies, not other kinds of storage (if my memory's good). Cookie Controller has better UI, you only ever need one click. Yet it has finer grained controls and deals with all kinds of storage as far as I know, safe from IndexedDB which is a particular one anyway. The only downside is that there are up to three icons in the bar. You can get away fine with just 2, but 1 would be impracticable

It never makes network requests as far as I know so you're safe privacy wise.

[scripteze]

...if you are a savvy user you can protect yourself on computers

For banking and other crucial tasks, one would have to...

I'm sure that's true, but I'm also sure it leaves out most users - to be that "saavy." I'm above avg & not even sure I could do it - on 15 - 20+ sites & counting; or would want to spend that time. And they change scripting all the time.

Unless you're extremely schooled in that, the time involved would be substantial. You & a small % of users may be able to do that w/ relative ease, but not the other 95% - 99.5%.
Example: I can work higher level mathematics & can & do "show" others how - for problems at the level they have sufficient background. But if they don't have extensive math background leading up to that level, they'll be lost. That's sorta what your (& some others) approach requires - a level of competence & required time that's beyond most users.

Also, never do banking on your main Firefox profile. You should have a profile dedicated only to this task.

I never thought about a completely separate profile for banking & important stuff. Certainly not one that's just on the same HDD. What would you suggest for that separate Fx banking profile? Besides running in some sandbox, or some type of "safe environment" provided by various AV vendors, or...?
Anything special to leave out or put in the profile itself?

The opinion of most "experts" seems to be, that if one does most all the correct things on their own computer & has a top rated AV / FW, that most of the threats come from outside - accessing sites & what they may include (whether the sites know about it or not), not threats from inside your computer. Sure, folks can & do get infected, but for users practicing good computer & browsing safety habits & precautions, the greater % of threats now seem to be outside the computer. BTW, in over 20 yrs, I've never had any computer infection, that I know of.

[Sam]

You can have several profiles running as independent Firefox instances at the same time if you start them from a proper shortcut, for instance with something like this as the shortcut target:
D:\Firefox\firefox.exe -P -no-remote

The -P argument will display a dialogue box where you can choose which profile you want to use.
-no-remote makes it so that you can run several Firefox instances at once.

To skip the dialogue box you can specify a profile name directly after -P, for instance:
D:\Firefox\firefox.exe -P MyBankingProfile -no-remote

So you can make one shortcut per profile or one catch-all shortcut that will allow you to select a profile through a couple more clicks.

Example: I can work higher level mathematics & can & do "show" others how - for problems at the level they have sufficient background. But if they don't have extensive math background leading up to that level, they'll be lost. That's sorta what your (& some others) approach requires - a level of competence & required time that's beyond most users.

Yes, but if I am in a need for high level mathematics that is dire enough I will look it up and learn the topic first hand
Had to do so with dual quaternions some time ago. I don't need to be as knowledgeable as a real mathematician to understand the concept and how to use it for my concrete purposes. Your background is sufficient to start IMO, you just need directions or to figure out your own organisation. That does take time to set up but if it's important to you...

For instance if you do business online, that means you have an identity as that person doing business online. You can set a professional Firefox profile and whitelist certain sites on its instance of NoScript. Pay much attention to your IP address, if it's static you're pretty much screwed. (You could still change your IP but I'm not sure I would trust Tor or a VPN for sensitive business stuff directly related to my real identity)

That said, Tor Browser is a very good tool that anyone can use without much technical knowledge. (just disable JS globally though)

If you intend to dig the topic on your own, you can focus on what are the main fingerprints that one can leave so that you know what you look like to the websites you visit. Then you can figure out your own strategy or have a critical viewpoint on other people's advice posted on the web. Here are some:
- Browser user agent
- Browser headers
- IP address
- Storage (e.g. cookies, local storage, session storage)
- Referral (from which website you just came)
- Untold amount of things through Javascript that can be divided in 2 categories: Informations on your computer and browser (e.g. screen size, capabilities), and information on you yourself (see history and SVG attacks).

It's useful to know there is a pitfall that many privacy concerned users fall into. They disable every feature that looks suspicious. Doing so can, if done without second thought, single them out from the crowd as that guy who disabled this, this, that, not this, but still that. Privacy requires that you show the same face as the rest of the herd.

So for instance, disabling requestAnimationFrame on your own while nobody else does could eventually lead to fingerprinting you almost uniquely when coupled with your IP address. Though, only if your adversary decides to check for requestAnimationFrame in his fingerprinting strategy.


Sorry I only provide you with a couple hints instead of the ultimate guide, that would take a crazy amount of time to make. There's probably no ultimate guide anyway. As they say there's no such thing as guaranteed security or privacy, it all depends on your adversary.