University student finds way to sniff Firefox history
I first heard of this on TV news. I thought it said something about Facebook reading users' history - could be wrong on the facebook part. Then found this article about a university student that discovered this hole.
Is there any response about this from Mozilla yet?
"Now, a graduate student at Hasselt University in Belgium said he has confirmed that Chrome, IE, and Firefox users are once again susceptible to browsing-history sniffing. Borrowing from a browser-timing attack disclosed last year by fellow researcher Paul Stone, student Aäron Thijs was able to develop code that forced all three browsers to divulge browsing history contents. He said other browsers, including Safari and Opera, may also be vulnerable, although he has not tested them."
Additional System Details
- User Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
As hyperlinked in that ARS article - https://bugzilla.mozilla.org/show_bug.cgi?id=884270 - Mozilla has long been aware of that type of potential exploit and has been working on a fix.
Thanks for the link.
Why would you think that if they've known about it since June 2013, they haven't fixed it or at least warned users about it, so they can decide what, if any, action they want to take? (rhetorical question)
I can't speak for Mozilla, but that issue can't be a real bad security problem since that Bug report is open to the public and not in the security restricted part of Bugzilla.
Did you read the one comment posted in that ARS article? Supposedly by the researcher who did the the Black Hat presentation of that exploit last year. So that graduate student in Belgium wasn't reporting anything new, just confirming it. And now that the information is out there, with a test case, that exploit can be used more easily by the bad guys. One way to make the internet security world aware of "you", and maybe get a higher salary when you enter the work force.
Thanks Ed. I didn't mean it was so much a security issue as a potentially huge privacy problem, depending.
Axiom: If browsing history can be sniffed, Google (user tracking services) & many companies just like them, will attempt to get it. That data is extremely valuable to advertisers - & "others."
Suppose one signs up for Amazon (or any retail site) w/ real name, address, credit card.
Now they know who you are & they (or the myriad of trackers, that sites might allow) may be able to get your full browsing history, tying it to a real name, UNLESS users: 1) are aware of the problem (vast majority aren't) AND, 2) actually remember to clear browsing history, before visiting such sites, or take other action.
That's the problem - most users aren't aware of this history sniffing problem. They thought it was dead. I try to keep up w/ security & privacy issues & this is the 1st I've heard of the resurgence of sniffing history problem.
The other part of the problem is, when visiting sites like Amazon, unless you take specific action to block them, you're also dealing w/ Google & possibly many other data gathering / history tracking companies. Being able to sniff history would be a virtual gold mine to tracking companies.
Mozilla's lack of concern over privacy is... concerning. Unless I misinterpret, you're not concerned, either. Just because this student wasn't reporting anything new, doesn't mean it's not very important to users.
Just because Mozilla or some researcher was "aware" of the problem for a good while (but has done nothing), doesn't mean it's not very important to users - IF... they knew about it.
People & companies (like Mozilla, etc.) are slow to react. I left the likes of Gmail yrs ago because of serious privacy violations - w/ Gmail & by Google, in general. Some people are just now waking up & realizing, "Hey, Google's reading all my email - when did that start happening?"
And there are lawsuits against Google for privacy violation practices that have been common knowledge for many yrs.
I don't know what the "new" attack is but the way the old attack worked was to (invisibly) insert links into the page and watch for whether the link was repainted, the reason for repainting being that the link had to be marked as visited. Paul Stone's Black Hat demo showed that 1000 links could be checked in 16-17 seconds, so potentially a site could see whether you visited a lot of different URLs.
Okay, so if a site wants to know if you ever visited www.example.com, then using this timing attack, it could learn that. I believe this is a yes/no test which doesn't reveal the number of visits or when they occurred. Presumably a site only cares about some of your history and isn't going to test billions of links to fully profile you.
How might you partially mitigate this?
- Minimize history you want to remain unknown. Use private windows for sites you do not want in your history.
- Use private browsing on untrusted sites. In a private browsing session, your "real" history is ignored; your discoverable history is just the history of that session.
- Use NoScript to block unnecessary sources of scripts. Although it's a considerable amount of work to "train" NoScript, if you are concerned about history timing attacks from ad networks or other external sites, you can use NoScript to only enable scripts from the minimum number of servers to get a page to operate.
I can't tell whether the layout.css.visited_links_enabled makes a difference. In my test with an older proof-of-concept of the attack, the detection didn't seem to be working very accurately whether that was set to its default value of true or switched to false. (See attached screen shot; the check ran about 15 times, I think, before I stopped it; the higher the percentage, the more confident the page can be that I've visited that link before.)
Yes, good points. But one of my main points is, it hasn't been made known to users, that this potential violation of privacy exists. I have the "Clear History" icon on my toolbar.
That's a problem & quite frankly a bit negligent on Mozilla's. If it was actually public knowledge (for some) for a yr or more, hackers / trackers / data mining sites could easily have discovered & used it.
Once the secret is out, any software company that can't fix it in a reasonable time (over 1 yr isn't reasonable), they owe it to customers to warn them. Some won't care, but many do.
Yes, we are customers, because Mozilla makes a lot of $, off of many of us using Google for searches & now advertising in Fx, in certain instances. With no users or a much smaller user base, not much $ coming in or from deals w/ Google (which are supposedly / rumored to be ending). But, Mozilla will find a way to make it up.
Who knows, maybe the big browser companies have a deal w/ major tracking / ad companies, to not fix this hole - allowing them to gather at least one thing they are very interested in - browsing history. If anyone says that's "impossible," they're dreaming. It would be worth many millions to Mozilla, Chrome, IE.
As long as it's not a true security threat, they're not too concerned (obviously, from the bug's assigned priority. It took YEARS to fix the last bug, allowing history to be sniffed. Is it any wonder why? $$$$
Modified by Joebt
Hi Joebt, you are entitled to your theories, but from what I see, the problem is that eliminating the time differences observed by the Black Hat script would require slowing down some operations in the browser, and no one wants to make Firefox slower for every page load because a couple of sites might use an abusive script.
Mozilla is a not-for-profit organization. I do not think Mozilla displays ads in Firefox. There is a proposal to add some sponsored links to a future version of the new tab page when there are still empty spaces in the 3x3 matrix of frequently visited sites, but that is still under discussion. If you are seeing ads now, consider whether they could be generated by one of your add-ons.
I'm not sure what happened to my reply. If it was deleted - for any reason - should be some indication of a reply being delete, vs. disappear into space. I'm copying / saving this one.
Very little in my post was based on theory.
Yes, Mozilla is a non-profit organization. NO, the employees don't work for free - especially those higher up (which is OK - just some people don't know that).
Yes, AFAIK the plans to display ads are final (as can be). They announced exactly how they'll be displayed. Which in & of itself isn't a terrible thing - except to some folks. Either viewpoint is OK.
This part may be conjecture: If ads on the newtab page aren't a disaster, in the future there will likely be other ads. Mozilla is losing a ton of money that Google has always provided, but is rumored to be halting. So (in their or parent co's mind) that must be replaced.
Bottom line: Mozilla.org, which is owned by a for-profit company, is interested in making more money, not just breaking even. I don't remember from audit reports if the parent company profits when Mozilla.org raises more money. Which is OK -but folks should understand it. Yes, they need substantial revenue to be able to compete w/ other browsers.
No, neither they nor most other browsers, on average, react to or fix privacy issues nearly as quickly as security issues. That may be necessary (or not), but sometimes privacy issues remain for years & aren't necessarily publicized to general browser user population.
It's not reasonable or right for any company / organization to leave users in the dark (which a lot of software companies do). Yes, Mozilla & many software companies do this, sometimes.
It's not reasonable to expect avg users will happen to read headlines or stories about XYZ browser having this / that problem, or that they'll read bug reports or even browse forums regularly.
Hi Joebt, I do not recall seeing your reply.
Mozilla Corporation is a subsidiary of Mozilla Foundation. See: http://www.mozilla.org/about/governan.../organizations/.
I think someone will be willing to pay to be the default search provider for Firefox after the current contract expires, and my guess is it will be Google. But whatever happens, the organization does need to be funded to put out a free product. That certainly is true.
I don't think that has anything to do with solving the problem of timing discrepancies. (And I'm not even sure that's a real problem, but I only conducted the one test.)