Scriptless Timing Attacks on Web Browser Privacy

Author

Bin Liang ; Wei You ; Liangkun Liu ; Wenchang Shi ; Heiderich, Mario

Author_Institution

Renmin Univ. of China, Beijing, China

fYear

2014

fDate

23-26 June 2014

Firstpage

112

Lastpage

123

Abstract

The existing Web timing attack methods are heavily dependent on executing client-side scripts to measure the time. However, many techniques have been proposed to block the executions of suspicious scripts recently. This paper presents a novel timing attack method to sniff users´ browsing histories without executing any scripts. Our method is based on the fact that when a resource is loaded from the local cache, its rendering process should begin earlier than when it is loaded from a remote website. We leverage some Cascading Style Sheets (CSS) features to indirectly monitor the rendering of the target resource. Three practical attack vectors are developed for different attack scenarios and applied to six popular desktop and mobile browsers. The evaluation shows that our method can effectively sniff users´ browsing histories with very high precision. We believe that modern browsers protected by script-blocking techniques are still likely to suffer serious privacy leakage threats.

Keywords

data privacy; online front-ends; CSS features; Web browser privacy; Web timing attack methods; cascading style sheets; client-side scripts; desktop browser; mobile browser; privacy leakage threats; rendering process; script-blocking techniques; scriptless timing attacks; user browsing history; Animation; Browsers; Cascading style sheets; History; Rendering (computer graphics); Timing; Web privacy; browsing history; scriptless attack; timing attack;

fLanguage

English

Publisher

ieee

Conference_Titel

Dependable Systems and Networks (DSN), 2014 44th Annual IEEE/IFIP International Conference on

Conference_Location

Atlanta, GA

Type

conf

DOI

10.1109/DSN.2014.93

Filename

6903572