BakingTimer: privacy analysis of server-side request processing time

Cookies were originally introduced as a way to provide state awareness to websites, and are now one of the backbones of the current web. However, their use is not limited to store the login information or to save the current state of user browsing. In several cases, third-party cookies are deliberately used for web tracking, user analytics, and for online advertisement, with the subsequent privacy loss for the end users. However, cookies are not the only technique capable of retrieving the users' browsing history. In fact, history sniffing techniques are capable of tracking the users' browsing history without relying on any specific code in a third-party website, but only on code executed within the visited site. Many sniffing techniques have been proposed to date, but they usually have several limitations and they are not able to differentiate between multiple possible states within the target application. In this paper we propose BakingTimer, a new history sniffing technique based on timing the execution of server-side request processing code. This method is capable of retrieving partial or complete user browsing history, it does not require any permission, and it can be performed through both first and third-party scripts. We studied the impact of our timing side-channel attack to detect prior visits to websites, and discovered that it was capable of detecting the users state in more than half of the 10K websites analyzed, which is the largest test performed to date to test this type of techniques. We additionally performed a manual analysis to check the capabilities of the attack to differentiate between three states: never accessed, accessed and logged in. Moreover, we performed a set of stability tests, to verify that our time measurements are robust with respect to changes both in the network RTT and in the servers workload.

[1]  Zhenkai Liang,et al.  I Know Where You've Been: Geo-Inference Attacks via the Browser Cache , 2015, IEEE Internet Computing.

[2]  Lukasz Olejnik,et al.  Web Browser History Detection as a Real-World Privacy Threat , 2010, ESORICS.

[3]  Frank Piessens,et al.  FPDetective: dusting the web for fingerprinters , 2013, CCS.

[4]  Elisa Bertino,et al.  Web Content Filtering , 2006 .

[5]  Benjamin Livshits,et al.  RePriv: Re-imagining Content Personalization and In-browser Privacy , 2011, 2011 IEEE Symposium on Security and Privacy.

[6]  Jong Kim,et al.  Identifying Cross-origin Resource Status Using Application Cache , 2015, NDSS.

[7]  Aniket Kate,et al.  ObliviAd: Provably Secure and Practical Online Behavioral Advertising , 2012, 2012 IEEE Symposium on Security and Privacy.

[8]  Song Li,et al.  (Cross-)Browser Fingerprinting via OS and Hardware Level Features , 2017, NDSS.

[9]  Paul Francis,et al.  Non-tracking web analytics , 2012, CCS.

[10]  Jörg Schwenk,et al.  Scriptless attacks: stealing the pie without touching the sill , 2012, CCS.

[11]  Jasmine Schwartz Giving the Web a Memory Cost Its Users Privacy , 2001 .

[12]  Davide Balzarotti,et al.  Clock Around the Clock: Time-Based Device Fingerprinting , 2018, CCS.

[13]  Arvind Narayanan,et al.  Online Tracking: A 1-million-site Measurement and Analysis , 2016, CCS.

[14]  Wouter Joosen,et al.  The Clock is Still Ticking: Timing Attacks in the Modern Web , 2015, CCS.

[15]  Zachary Weinberg,et al.  I Still Know What You Visited Last Summer: Leaking Browsing History via User Interaction and Side Channel Attacks , 2011, 2011 IEEE Symposium on Security and Privacy.

[16]  Matthew Richardson,et al.  Targeted, Not Tracked: Client-Side Solutions for Privacy-Friendly Behavioral Advertising , 2011 .

[17]  Christopher Krügel,et al.  A Practical Attack to De-anonymize Social Network Users , 2010, 2010 IEEE Symposium on Security and Privacy.

[18]  Hovav Shacham,et al.  Pixel Perfect : Fingerprinting Canvas in HTML 5 , 2012 .

[19]  Wouter Joosen,et al.  Cookieless Monster: Exploring the Ecosystem of Web-Based Device Fingerprinting , 2013, 2013 IEEE Symposium on Security and Privacy.

[20]  Shravan Narayan,et al.  Browser history re: visited , 2018, WOOT @ USENIX Security Symposium.

[21]  Saikat Guha,et al.  Privad: Practical Privacy in Online Advertising , 2011, NSDI.

[22]  Helen Nissenbaum,et al.  Adnostic: Privacy Preserving Targeted Advertising , 2010, NDSS.

[23]  Sebastian Schinzel An Efficient Mitigation Method for Timing Side Channels on the Web , 2011 .

[24]  Yoshitaka Nagami,et al.  An Independent Evaluation of Web Timing Attack and its Countermeasure , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[25]  Dan Boneh,et al.  Exposing private information by timing web applications , 2007, WWW '07.

[26]  Collin Jackson,et al.  Cross-origin pixel stealing: timing attacks using CSS filters , 2013, CCS.

[27]  Walter Rudametkin,et al.  Beauty and the Beast: Diverting Modern Web Browsers to Build Unique Browser Fingerprints , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[28]  Igor Santos,et al.  Knockin' on Trackers' Door: Large-Scale Automatic Analysis of Web Tracking , 2018, DIMVA.

[29]  Edward W. Felten,et al.  Timing attacks on Web privacy , 2000, CCS.