Websites Have a New Way To Spy On Visitors: Analyzing Their SSD Activity (arstechnica.com) 106
An anonymous reader quotes a report from Ars Technica: Now sites have a new way to spy on their visitors: measuring subtle interactions with their solid-state drives. The technique, named FROST (fingerprinting remotely using OPFS-based SSD timing), allows sites to monitor other sites a visitor is viewing and what apps are open on their devices. The technique, laid out in a research paper (PDF), exploits a side channel, a form of leak resulting from physical manifestations such as electromagnetic emanations, data caches, or the time required to complete a task. By measuring the manifestations, attackers can decrypt encrypted traffic and infer other confidential data.
The attack that FROST uses is known as a contention side channel, which measures the interaction of various processes all using (or competing for) a given resource. By measuring the timing of certain I/O (input-output) operations of the SSD a visitor is using, the researchers were able to determine the websites open in other tabs -- even on other browsers -- and the apps that were open on the visitor's device. FROST requires no interaction from the visitor other than opening the site hosting the attack. [...] Unlike previous contention side-channel attacks on SSDs, FROST runs exclusively in the browser. It uses JavaScript that interacts with the OPFS (origin private file system), an allocated storage space that's reserved for a specific site to run code needed to complete a given task. Websites can create one with no interaction required by the visitor.
While each file system is sandboxed, meaning it's isolated from other websites and from the device system itself, the JavaScript can measure the I/O interactions. Then, by running those interactions through a pretrained convolutional neural network -- a system that uses deep learning to analyze text, audio, and images -- the attacker can deduce various apps and websites open on the device. "The attacker continuously measures SSD contention by performing random reads from a large OPFS file," the researchers explained. "SSD contention caused by user activity causes measurable latency differences for these read operations. By training a convolutional neural network (CNN) on these traces, the attacker can fingerprint user activity on the host system by classifying new traces using the trained model."
The attack that FROST uses is known as a contention side channel, which measures the interaction of various processes all using (or competing for) a given resource. By measuring the timing of certain I/O (input-output) operations of the SSD a visitor is using, the researchers were able to determine the websites open in other tabs -- even on other browsers -- and the apps that were open on the visitor's device. FROST requires no interaction from the visitor other than opening the site hosting the attack. [...] Unlike previous contention side-channel attacks on SSDs, FROST runs exclusively in the browser. It uses JavaScript that interacts with the OPFS (origin private file system), an allocated storage space that's reserved for a specific site to run code needed to complete a given task. Websites can create one with no interaction required by the visitor.
While each file system is sandboxed, meaning it's isolated from other websites and from the device system itself, the JavaScript can measure the I/O interactions. Then, by running those interactions through a pretrained convolutional neural network -- a system that uses deep learning to analyze text, audio, and images -- the attacker can deduce various apps and websites open on the device. "The attacker continuously measures SSD contention by performing random reads from a large OPFS file," the researchers explained. "SSD contention caused by user activity causes measurable latency differences for these read operations. By training a convolutional neural network (CNN) on these traces, the attacker can fingerprint user activity on the host system by classifying new traces using the trained model."
adblock and privacy badger (Score:5, Interesting)
Re:adblock and privacy badger (Score:5, Insightful)
I'd rather whitelist the few sites that actually need OPFS (along with other direct filesystem access APIs).
Too bad browser vendors are terrified of presenting users with a proper permissions interface... God forbid they ask people to think.
Instead what we're probably gonna get is timing fuzzing, adding a huge amount of code to the browser to slow down file access.
Re:adblock and privacy badger (Score:5, Insightful)
Re: (Score:2)
Unfortunately, the people with enough money to maintain and promote a credible browser make most of that money from advertising, tracking and other malware
Google makes money by selling adverts and information. It's not actually in Google's interests to allow random websites to mine their customers' data.
Re: adblock and privacy badger (Score:2)
Enshittification is a user facing symptom. The real issue is neoliberalism and late stage capitalism. Extraction and exploitation-in this case by maximising consumption of unwanted servicesâ"are the mechanisms of action.
Re: adblock and privacy badger (Score:3)
I added OPFS to my toy emulator. So now you can drag and drop stuff into an extra drive with me having to host any kind of backend or see your files. (Hosted as a static website on github.io)
So this is why we can't have nice things. Perhaps adding random nanosleep() calls to the I/O paths might be something Chrome might try to mitigate. Hate that we are in an arms race. One side trying to use computers and the other trying to ruin them.
Re: (Score:2)
MS Edge must already be using the fuzzing, the time it takes to download or open a file seems to be perfectly random.
Re: adblock and privacy badger (Score:2, Insightful)
Re: (Score:1, Troll)
It's really nice of you to let the guy live rent free inside your head like that.
Re: (Score:2)
I doubt there's an actual head involved, this feels like some shithead just running clawdbot agents to astroturf the comments here and when they're at it, just shitting on their posting enemies.
Re: (Score:3)
As the prior poster, Slashythenkilly said, person needs to get a life. Also, who has "enemies" on here? Give me a fucking break. No one on here has done anything to remotely become anyone's enemy beyond posting disagreeable thoughts and maybe said some mean things to each other. If that's all it takes for someone to be labeled an enemy, those sorts are hopeless causes anyway and there opinions need not be considered.
Re:adblock and privacy badger (Score:5, Informative)
I'm stunned this even exists https://developer.mozilla.org/... [mozilla.org]
Re:adblock and privacy badger (Score:4, Informative)
I'm not. There's a sizable amount of movement towards putting basic applications on the web, such as Google Docs and Office Online. But at the time implemented they could only access "files" in the cloud and couldn't even use the local file system for caches or temporary files, needing to maintain their connection to the Internet once loaded (and giving the user little control of their own data.)
What I'm stunned by is that there's no permissions structure. A web application should be required to ask for permission to use these APIs, just as they do when using location information or something like that. (Also location APIs for desktop browsers need to have a "Never show this again for any webpage" checkbox - why the fuck is it there? There's no GPS in my PC, idiots. But... that's another subject.)
The browser makers seem to have an aversion to permission dialogs, but half the privacy invading crap could be rendered unusable to privacy violators by just forcing them to ask permission. "I just tried to load our website, and was forced to click through 100 dialogs about cookies" is not something anyone wants to hear from the CEO, even if it's the marketing team.
Re: (Score:2)
Couple things:
Re: (Score:3)
The entire web security model is broken.
Experienced web developers don't understand Same Origin Policy, Content Security Policy, and often even cookie scope completely. As you say no end user ever could without becoming at least a capable amateur web guy/gal themselves.
To use a car analogy:
Asking for permissions at this point would be like a Toyota Corolla popping up a dialog on the dash board "Would you like to advance timing by 1.5 degrees?" while the driver is cruising along I-70. The percentage of dri
Re: (Score:1)
> Asking for permissions at this point would be like a Toyota Corolla popping up a dialog on the dash board "Would you like to advance timing by 1.5 degrees?" while the driver is cruising along I-70. The percentage of drivers who could think about the question intelligently is small, the number of them familiar enough the current state of that specific car in terms of tune, conditions, etc without doing additional analysis no practical while operating is even smaller.
I wouldn't put "Do you want this webs
Re: (Score:3)
disagree that is precisely the same question as "the script at dfgjkdf.bit.ly would like to save a file, allow?" as far as the ordinary user is concerned. They have no idea if it is a good idea to allow that or not and at the moment can't take the steps to even try to figure that out.
No the SaaS/Ad guys are the ones that want that API. The whole thing is opaque to the user. That is f'ing terrible for you and me! I can't for example (easily anyway) find the data I created stored by that API to backup, use
Re: (Score:3)
> disagree that is precisely the same question as "the script at dfgjkdf.bit.ly would like to save a file, allow?" as far as the ordinary user is concerned. They have no idea if it is a good idea to allow that or not and at the moment can't take the steps to even try to figure that out.
Again, everyone is missing the point here.
It's asking for permission. It's ASKING for permission. Each and every security problem it's asking for permission.
Do you have any idea how annoying that is? Have you ever dealt wi
Re: (Score:3)
Asking for permissions at this point would be like a Toyota Corolla popping up a dialog on the dash board "Would you like to advance timing by 1.5 degrees?" while the driver is cruising along I-70
As someone who works with metaphor most of the day - I couldn't have constructed a better analogy. Hat tip to you sir/ma'am.
Re: (Score:1)
> re "location information" on a desktop PC, sure it's not a mobile device, but there is still a reason to geolocate it
You miss the point. Desktop PCs do not contain GPS devices. Therefore any "location" information browsers provide is generally inaccurate, often radically so. So they shouldn't even be offering the API unless they've actually given the user an interface to enter the position of the computer, and has given permission.
There are plenty of "nice to haves" that are both technically impossible
Re: (Score:3)
I file your entire reply under the category of "not even wrong".
You miss the point. Desktop PCs do not contain GPS devices.
You miss the point. Desktop PCs have a physical location and a network location. The network location is used to infer the physical location (inter alia, for the anti-user purposes I mentioned), and more often than not it is sufficiently accurate for those purposes.
You wouldn't expect the browser to give websites the ages of users (for the same reasons you say location information is useful) either
We are talking about anti-privacy behavior - and you should look at the Digital Credentials API, which does more or less exactly this.
Are you just anti-privacy at this point? Because I literally explained this (literally the last sentence of my post) [...] you don't think the problem with too many requests is that someone violating a victim's privacy is with the privacy violations
You didn't, and I do. My point was that promptin
Re: (Score:3)
Regarding location data, even on a laptop or a desktop, an imprecise location can be deducted from wifi triangulation. You still need wifi though which is present on all laptops and many desktops sold these days. Or can be added with a USB wifi adapter.
Re: (Score:1)
Your point being what exactly?
So a desktop might be able to guess where I am. So what? Does that mean it should prompt me even when it only has an IP address to go on? (An IP address that according to every website I go to locates me literally 100 miles South of where I am?) And why does that mean I shouldn't be able to turn the requests off permanently given it's a dialog I will never say yes to?'
Re: (Score:2)
And why does that mean I shouldn't be able to turn the requests off permanently given it's a dialog I will never say yes to?
Right? And I'd also add that end users should be able to trivially set/override the GPS coordinates returned these location services.
Altruistic use: you could set your desktop to return your precise location, since there is no service that would do so.
For nearly all intents and purposes, that would be an incredibly useful feature in numerous real situations. Using maps? Set it correctly. Looking for good sushi spots near some other location? Set the location. Away from home but want to see local ads when go
Re: (Score:2)
My point being that when you wrote "There's no GPS in my PC, idiots", the fact that there are no GPS does not mean your PC cannot locate you, and thus the popup could still be relevant.
Now is it annoying like hell? Heck yes. Not my point at all.
Re: (Score:3)
I'm stunned this even exists https://developer.mozilla.org/... [mozilla.org]
Why are you surprised this exists? Applications often require cache, cache performance dictates application performance in many areas. Applications have run in the browser since Javascript was invented.
This is one of the least surprising things in Webstandards. Well actually it is surprising in that I actually thought it was a shared pool and didn't realise they put so much effort into isolating it (at this point an application running in a browser has become way more secure than an application running nati
Re: (Score:3)
My browser should have zero knowledge of what a filesystem is. That is OS territory.
Re: (Score:2)
Your browser hasn't been a browser since the early 2000s. Most of the modern internet simply wouldn't function if your browser wasn't "OS territory", that very much includes the groupware which makes the world go round.
This isn't even a browser restricted issue. We have been pushing for this back when the browser was dumb too, both Java webapplets and ActiveX required by the nature of how software works some level of access to do useful things.
Cookie storage is a file system (Score:2)
My browser should have zero knowledge of what a filesystem is.
If your web browser didn't store a session identifier in a small file called a cookie, how would Slashdot's server know that you're logged in as ArchieBunker (132337)? Otherwise, I'm not sure where you've mentally drawn a line between cookie storage and "a filesystem" proper.
Re: (Score:1)
Re: (Score:2)
That's how it works.
The browser has two filesystem APIs. The older one just lets it display a file chooser, and then the browser gives it access to that one file that the user picked, sandboxed, and nothing else. Any writes are cached until all security checks are passed, and then the browser copies the data out of the sandbox.
The problem with that is performance. So there is a second API which creates an isolated, sandboxed, quota enforced filesystem just for that one website. The quota counts for everythi
Re: (Score:2)
since Javascript
found the cancer
he declared confidentially while using a website powered by javascript to communicate.
Re: (Score:1)
How quickly we forget Google Gears.
Re:adblock and privacy badger (Score:5, Interesting)
Sites don't use it, even just reading the summary would tell you that this is something that works in the lab when the fake users are generated by scripts and there isn't any other activity on the node. Real computers are doing lots of different shit in the background and don't have narrowly consistent timing, especially compared to other users with similar storage systems. And storage performance operates in a set of narrow performance bands. "Which of a site's 2 users are using it right now?" might be possible, but fingerprinting an anonymous user of a real web service would be a whole different issue.
The important thing is that some dingbat academician got a publishing credit.
Re:adblock and privacy badger (Score:5, Interesting)
The important thing is that some dingbat academician got a publishing credit.
Good ol' 2026, where we insult academics because some idiot reporter probably used AI to write an article which has nothing to do with the research paper itself.
Now if you read the paper the "dingbat academician" didn't propose any direct security risk, rather demonstrated a way to setup a covert data channel between two things under their control at a rate of about 600bits/second. It is a very interesting paper and one that explores performance of Javascript and I/O access. Specifically this is more of a comparison to an existing side channel that on a raw OS level can achieve 900bit/s (using sync operations in Linux). The paper also concludes that the risk here is insanely small especially how OPFS access required user to explicitly allow a website to do so.
Please keep the insults to reporters and people who read "science news" instead of the papers themselves.
Re: (Score:2)
"The important thing is that some dingbat academician got a publishing credit."
Tell me you didn't read the paper without telling me you didn't read the paper.
" even just reading the summary "
Ahh. There it is. Sounds like how a dingbat might react.
Re: (Score:2)
The important thing is that some dingbat academician got a publishing credit.
The important thing is that he got a job offer from google.
Re: (Score:2)
The important thing is that some dingbat academician got a publishing credit.
I was going to say that I never thought the day would come when anti-intellectualism when come to slashdot, "news for nerds, stuff that matters." And then I noticed your slashdot id is even lower than mine, so you've been here a while.
A stark reminder that things aren't actually getting worse, the idiots have always been among us.
Re: (Score:2)
the sites that use this should be blacklisted
OPFS is part of the File System API. On Chrome at least I believe that will trigger a permission check with the user as to whether they want to allow writing.
Re: (Score:2)
"Since the origin private file system is not visible to the user, there are no permissions prompts and no Safe Browsing checks."
src: https://web.dev/articles/origin-private-file-system [web.dev]
Re: (Score:2)
NoScript. No one gets to run untrusted code on your computer unless you approve it first.
Re: (Score:2)
Welp! (Score:2)
SSDs have gotten stoopid expensive anyway, so maybe it's a good time to go back to spinning rust.
Then again, might this attack even work on the the silicon of a magnetic drive? Or is the buffer too small to be vulnerable in the same way?
Re: (Score:2)
I don't think the attack is limited to SSD. It felt, reading TFA, that "SSD" was being used to mean "local storage", so if it had been written 10 years ago it'd have used "hard drive" and if in the 1980s, "floppy drive", I'm guessing.
Re: Welp! (Score:4, Interesting)
It might be easier to track the larger seek times of spinning platter media for such a side channel attack.
Letting people run unsigned, unvalidated, turing complete code on your browser is the source of many problems.
Re: (Score:2)
Toggle JavaScript Button by Michael Buckley
Every browser should have something like this. Not merely in about:config, and definitely not some setting buried under 4 menus.
Re: Welp! (Score:4, Interesting)
Spinning rust is random. Allocation is not consistently done so seek times will differ wildly; caching will bring that into line with SSD except you can't control caching so that greatly limits the window of opportunity to exploit that.
The problem is high precision timing being applied to everything and what is impossible today may become possible later.
You are correct in that the larger view that running code is the problem and everything has some CS fool trying to add code to it... fonts, PDF, CSS, and I'm still expecting Unicode to add some more BS someday given how much they've overly complicated what should be a simple text encoding format.
Re: (Score:2)
I disagree. Spinning media is not random. It's not random in behavior and not in what is observable from file system drivers and application layers. Timing is a disk spinning at a nearly fixed rotational velocity is a physical phenomena and you can trivially model and predict it. And indeed you had to predict when bitbanging certain floppy formats. And of course old MFM itself was tied to a track's velocity. Which again, you can probe from software because an access on the same track will take twice as long
Re: (Score:2)
Letting people run unsigned, unvalidated, turing complete code on your browser is the source of many problems.
FORCING people to run unsigned, unvalidated, turing complete code on your browser is the source of MANY MANY problems..
And before the apologists chime in with "You're not being forced to run this code.." TRY viewing most any modern website with javascript turned off.. It aint pretty... So as far as I'm concerned, we ARE being forced to run potentially bogus code on the browser..
Re: (Score:2)
Well nobody is forcing you. You could always drive to your bank or department store instead of using their website.
Trivial to obfuscate (Score:1)
So this side channel signal can be obfuscated with randomly timed broad frequency reads and writes to the filesystem, presumably? Since the signal it is looking for is latency caused by patterns of reads and writes that fingerprint an application?
Re: (Score:3)
Re: (Score:2)
I am not sure which side would really be 'always one step ahead' here. In order for this to work they would need to constantly retrain their CNN since any change in any application or websites's data usage pattern would throw it off. OS updates would also require retraining.
Boiler plate code would also throw it off, and I imagine the majority of websites would be indistinguishable. Things like user settings or adblockers would also throw it off.
Re: (Score:2)
Re: (Score:2)
Thing is, fingerprinting in general is not a new field, and people have been throwing neural nets at it for a long time. It has always been a pretty sketchy technique and sensitive to overfitting. You don't need people trying to shield themselves, things just change in ways that screw up fingerprints. They are notoriously difficult to keep up to date and mostly seem to survive as part of packages sold to big IT departments as 'this will detect things!', .
Re: (Score:2)
I will say though given the memory footprint of modern browsers, man they need a great great great deal of space if they need a cache in addition to the 10G of memory they often consume. Maybe t
Re: (Score:2)
or hear me out on this rather than wasting actually resources, the browser APIs could just add something like sleep(rand(250)) in the path of read() along the i/o thread.
for the same of breaking the side channel attack it probably does not need to even be a particularly good secure random implementation as long as the seeds are unique to browser process/session.
Re: (Score:2)
Which we probably get for free with simple network behavior.
Re: (Score:2)
So... having anything other than the web browser running?
Bullshit, overblown synopsis (Score:5, Informative)
>By measuring the manifestations, attackers can decrypt encrypted traffic and infer other confidential data.
The research paper doesn't say anything about decrypting encrypted traffic nor inferring confidential data. I think the author just looked up "side channel" and ascribed the implications of other side channel attacks to this particular technique.
Read the paper: what's actually happening here is a demonstration where code in the browser can use local SSD timings to encode a stream of bits by influencing access times. Then, another open browser page on the same computer can infer the signal sent by the other process by examining SSD latency timing.
It's mildy interesting, and far from the first such side channel, but nowhere does this technique break out of the browser's sandbox or decrypt confidential data. This is nothing like "visit this page and you're haxx0red noob." In order to succumb to any sort of attack, a legitimate website you normally visit would have to be hacked too. And if they have gotten that far, they wouldn't need to exfiltrate data via this side channel.
Please mod up Re: Bullshit, overblown synopsis (Score:2)
Re: (Score:2)
I kept calling bullshit as I read the summary, but I wasn't going to say anything because I figured these people are smarter than me. They may still be smarter than me, but it may have been more believable if they hadn't thrown the kitchen sink in there.
Re: (Score:2)
Or maybe they did and didn't care because they were more interested in clicks than accuracy. The author is supposed to be their senior security editor, but that's not great editing no matter the reason.
Timing (Score:2)
Re: (Score:2)
So.. that sounds more like they developed a way for two isolated browser tabs to communicate with each other, rather than a sandbox sneaky figuring out what is going on outside of it?
Sounds like a concept of an exploit. (Score:3)
Is there any evidence this actually works, or is it just a paper to maintain a grant?
Re: (Score:2)
Plus there is a bunch of other stuff running, and I only have spinning rust (Being old, my brain is not very fast).
Not sure how they will get any useable info out of my PC - other than it is probably not using Windows.
But what if the user (Score:2)
is playing games, music etc while browsing.
Or the browser is running out of RAM instead of an SSD for the cache
Fix (Score:2)
This seems potentially fixable at the browser level: adding timing jitter/noise to OPFS disk reads, reducing timer precision, or rate-limiting storage access could make these contention measurements much less reliable. Of course, all of those have some performance cost.
As a user-side mitigation, disabling browser disk cache may also reduce the signal somewhat (I've done that for years), although OPFS itself would still generate storage I/O, so it probably wouldn't eliminate the side channel entirely.
Given m
Re: (Score:2)
Caching timing I'm sure works as a data source as well. Anything with high precision timing is subject to profiling and AI allows for automated deep statistical analysis that is too costly to power by human experts. The problem is access to high precision timing not imagining everything that might be too uniquely consistent... user or web apps/sites users visit. Spinning rust made this too random before SSD. Network bandwidth and latency shifts are far too random now to imagine that as a risk but maybe no
The Web is _shit_ in one ... (Score:5, Interesting)
... _very_ fundamental way.
[Disclaimer: Passionate multi-decade Senior Web Developer here]
And that is *drumroll*:
Always online, no standard default way for offline.
Seriously, this is the biggest downside (and perhaps eventually downfall) of the Web and ist it's protocols. It's the reason I initially thought "Who needs this crap?" back in the 90ies when the Web first appeared.
In this regard Fidenet and other BBS networks are technically superior(!!) to the modern Web.
Solid crypto-based Ident/Auth/Authed DNS and a set of document-centric offline capable Web protocols on top would be the right way to do this. Most security problems and this tracker garbage we have to deal with _every_ _single_ _day_ would vanish in an instant. As would quite a few other problems of the modern Web along with it.
The Web is awesome. It won for very good reasons. But it _that_ way the Web is epic shit by design. If the Web eventually fades away it will likely be because of that flaw.
Until then it's paying bills, so not many too hard feelings on my end. But the general IT expert in me sure wishes we had better protocols for solid offline capability.
A viewing-ONLY program (Score:4, Insightful)
We must have gone terribly, horribly wrong somewhere in the evolution of WWW and the browser because this damn program is for VIEWING websites, not for giving all sorts of hardware access TO websites FFS!
All these APIs need to be severely limited and cut back. This has gone way too far.
Re: (Score:2)
Re: (Score:2)
Ironic that you're on slashdot, posting your comment into a...web app. Maybe you don't actually want sites like slashdot?
One teeny-tiny detail is missing in TFS (Score:2)
From the actual paper (emphasis mine):
Re: (Score:2)
The site you're having open can be the malicious link itself. The restriction only says "If you don't visit the site, the site can't harm you"
It's Not Missing. Read It Again. (Score:2)
Also from the actual paper:
the victim first visits an attacker-controlled website, e.g., through a seemingly benign website, advertisements, or spam
Just like the vector of most infections.
Not explicitly mentioned in the paper, but of equal or greater risk, is the cases where known websites have been pwned. Let's say the attacker deposits their code on your favorite forum or Wordpress site.
The user simply has to visit an infected site. Getting them there has never been the major hurdle. e.g. Look at the TITS on this one!!!! [rickroll.tld]
Re: (Score:2)
Modern ads are basically websites so permissionless attacks don't even need you to visit a specific one, just some site that happens to show a bad ad. Punch the monkey and win!
Re: (Score:2)
Modern ads are basically websites so permissionless attacks don't even need you to visit a specific one, just some site that happens to show a bad ad.
In which case this, like so many others, becomes a Chrome-only problem.
Use Firefox profiles or containers. (Score:2)
Re: (Score:2)
TFS says otherwise.
Fucking Genius (Score:3)
While this shit really frustrates and infuriates me, I've got to give praise to the fucking geniuses that figure this stuff out. Amazing and humbling!
For those that did not read the paper, here are a few notes:
- No decryption or data stream snooping is taking place. They are only deriving which websites or applications are loaded post attack launch.
- No site history is readable.
- No already loaded websites or applications are decipherable. Mostly. It may be possible to detect sites or applications that continue to access the SSD, but this was not demonstrated.
- The attack runs -> you open another webpage -> it can accurately predict what the site/page you opened was.
- The attack runs -> you open Calculator -> it can derive that an application was started, probably(high degree of accuracy) Calculator.
- This all happens within the browser using Javascript.
- Close the attacking website's tab/browser and the attack is finished.
- It's fucking genius.
- I hate it.
Re: (Score:2)
I'm annoyed I didn't think of it... or that others haven't years ago. The reality is that many of us would have thought of it right after the 1st javascript timing attacks were possible long ago but we were not tasked with thinking about timing timing attack fingerprinting; it was just an interesting attack to read about back then. People who were tasked with countering the attack should have addressed ALL these issues by now - I'm upset that those people did not do their jobs! We assumed that people in
All data should be fuzzed by the browser (Score:4, Insightful)
There should be no such thing as accurate timing from any API the browser provides, by default.
If there is a site that requires this type of accurate timing information, an exception should be able to be created, but it should be off by default.
We just keep seeing these timing attacks. There is just no reason a random web site needs accurate information from your browser to function.
Re: (Score:2)
They keep adding timing noise to these API's as attacks show up but this really speaks to the need to have the noise in the core I/O libraries, not inside each new API.
If it's writing to disk in any way it should go through a code path with timing noise.
It would be easier on the feature developers too.
Probably in the network API's too. Have a turbo mode in preferences at one end of a privacy slider, maybe. Default should be safe but the browser benchmark people incentivize the wrong thing. "You get what
Yes. So? (Score:2)
It comes as absolutely no surprise that when you can execute code on a device, you may be able to gather fingerprints from other code running on that device. You get very little from that though. Basically the only useful case is if one website generates a specific usage pattern, another one may be able to detect that. But you could have gotten the same thing by just having the two sites communicate directly. Yes, there is a covert channel. No, it is not one that matters.
Doesn't work on Windows? (Score:2)
For Firefox Users (Score:1)
it's only for facebook (Score:3)
And we know chrome users are logged in their google account at all times directly in the browser, ready to tell the ad-networks which user it is exactly. Google have no need for it, for now.
So, the only place actually using this feature is facebook. The only kid left out of the google ad network.
Ha! (Score:2)
Fooled you. I don't run JavaScript.
Jokes on them.... (Score:2)
My main downloads drive is a punch card machine.... lets see them try....
Why web browsers, why? (Score:2)
No user interaction (Score:2)
No user interaction is required? So I won't have to allow javascript with noscript?
My other question is whether having your browser profile on a ramdisk makes this easier or harder for them to track you.