A New Hidden Way of Web Browser Profiling, Identification and Tracking (theregister.co.uk) 72
Researchers from Austria's Graz University of Technology "have devised an automated system for browser profiling using two new side channel attacks that can help expose information about software and hardware," reports The Register.
The researchers recently presented a paper titled "JavaScript Template Attacks: Automatically Inferring Host Information for Targeted Exploits," which The Register says "calls into question the effectiveness of anonymized browsing and browser privacy extensions... "
Long-time Slashdot reader Artem S. Tashkinov shared their report: One of the side-channel attacks developed for JavaScript Template Attacks involve measuring runtime differences between two code snippets to infer the underlying instruction set architecture through variations in JIT compiler behavior. The other involves measuring timing differences in the memory allocator to infer the allocated size of a memory region.
The boffins' exploration of the JavaScript environment reveals not only the ability to fingerprint via browser version, installed privacy extension, privacy mode, operating system, device microarchitecture, and virtual machine, but also the properties of JavaScript objects. And their research shows there are far more of these than are covered in official documentation. This means browser fingerprints have the potential to be far more detailed -- have more data points -- than they are now.
The Mozilla Developer Network documentation for Firefox, for example, covers 2,247 browser properties. The researchers were able to capture 15,709. Though not all of these are usable for fingerprinting and some represent duplicates, they say they found about 10,000 usable properties for all browsers.
The researchers recently presented a paper titled "JavaScript Template Attacks: Automatically Inferring Host Information for Targeted Exploits," which The Register says "calls into question the effectiveness of anonymized browsing and browser privacy extensions... "
Long-time Slashdot reader Artem S. Tashkinov shared their report: One of the side-channel attacks developed for JavaScript Template Attacks involve measuring runtime differences between two code snippets to infer the underlying instruction set architecture through variations in JIT compiler behavior. The other involves measuring timing differences in the memory allocator to infer the allocated size of a memory region.
The boffins' exploration of the JavaScript environment reveals not only the ability to fingerprint via browser version, installed privacy extension, privacy mode, operating system, device microarchitecture, and virtual machine, but also the properties of JavaScript objects. And their research shows there are far more of these than are covered in official documentation. This means browser fingerprints have the potential to be far more detailed -- have more data points -- than they are now.
The Mozilla Developer Network documentation for Firefox, for example, covers 2,247 browser properties. The researchers were able to capture 15,709. Though not all of these are usable for fingerprinting and some represent duplicates, they say they found about 10,000 usable properties for all browsers.
Re: (Score:1)
Hey, motherfucker.
Take a step back and look at yourself. What the fuck are you doing with your life? I've seen how much shitposting you do on slashdot. You actually spend most of your free time doing this, don't you. Don't you think that's pathetic?
What does it say about you as a man? That's a rhetorical question - we both know the answer.
Sensationalism (Score:2, Informative)
"calls into question the effectiveness of ..."
Yeah ok a new exploit doesn't mean everything done up till now wasn't effective against other tracking methods.
And you can still turn JavaScript off.
Re: (Score:2)
Re: (Score:2)
IIRC time jitter has already been inserted to deal with other side-channel attacks.
I don't know much about ECMAScript/HTML5 high-speed rendering, but anti-frame-tearing would be an obvious possibility. Most of it is probably dealt with in support libraries in the browser/OS, but the timing of frame syncs is bound to be visible to the app somehow, and unless the jitter is added down on that level, it could be used as an alternate clock source. At 100Hz, though, there's a lot of room to add jitter, so wheth
Re: (Score:3)
Random time delay? If you can get a machine to choose a random number, come collect your Nobel prize
1) Point web cam at lava lamp.
2) Hash resulting image.
3) ???
4) Profit!
Re: (Score:2)
Or just round to the nearest second. No randomness required in that case.
Re: (Score:3)
Noscript helps a bit, but the best way to see how bad it is can be done by using https://amiunique.org/ [amiunique.org]
The meaning of template in this context (Score:1)
A template attack is when you take a piece of code, called the template, and then run it and note down timings and such. If you then run it in a different environment, different timings compared to your template might reveal information about the environment you might not otherwise have access to. Also, slight tweaks to the template might result in very different timing changes in different environments.
All in all I think the impact of this study is limited. Yes, there are a staggering number of properties,
Re: (Score:1)
I note that once more this is a thing that slows down computers. I wonder why internet browsing now requires 8 gigs of ram, the web hasn't changed much since 5 years ago, it's text images and media files. What changed is the amount of data profiling done with JS.
When I turn off JS using noscript I can happily browse with my 15 yo computer.
Yet another reason to disable javascript (Score:1)
Not just disable javascript, but also not to use browser-based applications, period.
So yet again! (Score:1)
"JavaScript Template Attacks:
Yet again... something that only works if you volunteer to run code delivered by the attacker.
How many JS exploits and vulnerabilities and fingerprintings does it take before we learn not to take any shit that's thrown our way and run it?
It's time to reboot the web. Remove all the shit. Make it simple, and secure.
Add a random micro-delay to the interpreter's fina (Score:1)
Timing randomization would defeat all time measurement-based attacks, because there would be zero correlation between two of the same identical calls.
Re: (Score:2)
Exactly. I thought some browsers were already implementing timing randomization to address concerns of this sort. Perhaps I’m misremembering?
Re: (Score:2)
What if the browser just fuzzed all requests for timing from javascript? As in, whenever javascript asks what the current time is, it would get a randomized offset (+/-) of the current time? Or just round all time calls to the nearest second? What application, written in JS running in a browser, would require microsecond precision?
After consulting a dictionary... (Score:2)
There are many legitimate reasons to prevent tracking and identification, and for certain groups, such as journalists or whistleblowers, it is in many cases even vital. However, for criminal actors, it is undoubtedly also beneficial to prevent tracking and unique identification. Thus, browsers such as the Tor browser are also heavily used for criminal activities [60], [17]. The anti-fingerprinting methods ensure that users can- not be tracked across websites, preventing deanonymization through the user's usage pattern of websites [57]. Thus, a tackers trying to reveal the identity of such users cannot rely on simply tracking a user with fingerprinting.
we see serious attempt in FUD. I am eagerly waiting the day a new "Law Enforcement Tool" based on this paper to hit the market at a steep cost to tax payers, preferably Austrian tax payers only...
Morse Code and Music. A 1967 story (Score:2)
One summer eve a few friends and I went from our apartments in Queens to the Village. As we walked down St. Marks Place music played from the various record stores on the block. And then I heard it.
The song, "Miss Morse" by Pearls Before Swine is reasonably banal.
Oh Dear, Miss Morse
I want you
Oh yes, I
Code execution in the browser is not mature (Score:5, Insightful)
That is the main reason this is even a problem. Sure, executing code given to you from some untrusted source is and will remain a very bad idea. That is the reason why any kind of active content in browsers is a very bad idea in the first place: You have to have an isolated execution environment that is very resistant to attack. Personally, I don't think the practice of coding (i.e. implementing these sandboxes) will be mature enough to deliver that in the required strength for at least the next few decades. In the meantime, browsing with JS active remains a significant risk.
Re:Code execution in the browser is not mature (Score:4, Interesting)
My first posts on /. were to rant about javascript. Fast-forward- I don't hate javascript, but I hate what the browser and OS are willing to do.
I agree- even a sandbox can't protect against these attacks.
How about a network stack module that scans for any kind of browser info in sent packets, and replaces it with garbage, or some otherwise anonymizing data?
Re:Code execution in the browser is not mature (Score:4, Interesting)
Having a randomizer is an additional fingerprinting data point, especially if it is not baked in to the top 60%+ of browsers.
Disabling JavaScript is another data point, but it reduces the attack surface so much that the other data points almost disappear. A trade off I have been comfortable with since 2003 or so.
Yes I write JavaScript, yes the execution environment is a bit special case. But at home JS doesn't exist.
Re: (Score:2)
Randomizers may help some. You will still get that fingerprint, but it takes a lot longer. I think the actual browser-identification is mostly a red herring though, because if, say, 10% of the deployed browser/version combination is susceptible to a specific attack, attackers will just try it and not care about the failed ones. We are not really talking targeted attacks here after all, but cheap automated ones.
Disabling JS is definitely a good idea.
Re: (Score:2)
Re: (Score:2)
Indeed. That is why for e-banking, I have a VM with just that application (it is essentially a customized web-browser) and nothing else and an encrypted disk. Somebody investing effort will still get into that, but an automated attack will not.
Re: (Score:1)
Try not mature enough ever. All it takes is one bug or oversight and your browser, email client, or any other program, is compromised. Never mind the fact that a lot of these web sites are pulling untrustworthy code from 3rd parties, and the AD networks themselves. You can't expect trustworthy code from a site who's sole source
Re: (Score:1)
Agreed. Especially now, when the main client code out there is dominated by a huge advertising company whose interests may not be completely aligned with the user's.
What miffs me most is that the web "programmers" are so idiotic as to require active content in places where it's totally unnecessary. Poster child is NASA's website [nasa.gov], which shows as a black hole for javascript-disabled browsers. Epic fail.
Re: (Score:2)
Executing code in the browser is a great idea, because the alternative is far worse.
Remember when everyone was getting infected because they downloaded some free screensaver or porn app? Much better to have Javascript running in a well tested sandbox, itself running in another sandbox, with ACLs and OS controls on top. A sandbox that doesn't even have the capability to "do you want to allow CLICK YES TO CONTINUE to make changes to your computer?"
Web apps and mobile apps have done more than anything else to
Re: (Score:2)
Well, as somebody with a total of 1 benign spyware despite running Windows for a long time without a virus-scanner, I cannot really judge this. But I see your point. Lets just say it has gone from "extremely bad" to "bad". Maybe web-assembler will finally fix things by giving a good motivation to at least make that sandbox watertight.
Re: (Score:2)
Privacy might not be dead (Score:4, Interesting)
Privacy might not be dead but it's currently on life support and things aren't looking good. They're typing up the obituary now.
Browser fingerprinting, license plate readers, cameras everywhere, facial recognition, bluetooth beacons and snooping, GPS tracking, cell tower tracking...and those are just the ones I can think of off the top of my head.
Yeah, if you want privacy, go move to a hut in the Appalachian mountains and trap gophers for dinner. Gotta eat 'em raw because your cooking fire will give away your location with its heat signature.
I stopped using JavaScript (Score:1)
Back around the late 90s the DoD released a paper about side channel attacks. It's conclusion: too slow to exploit. Today we have Spectre and Meltdown, who wud of thunk.
Back then, I said nope and immediately turned off JavaScript in all browsers (except turned on for a handful of trusted sites, but never for general web browsing). If a page won't load without JavaScript, chances are there is another site that will having the same (mis)information.
Pro-tip: if you didn't pay for the content, it isn't the p
Many Boffins died to bring us this information. (Score:2)
Thank you I'll be here all week. Try the fish!