Article

Protecting browser state from web privacy attacks

Authors:

Collin Jackson,

Andrew Bortz,

Dan Boneh,

John C. MitchellAuthors Info & Claims

WWW '06: Proceedings of the 15th international conference on World Wide Web

Pages 737 - 744

https://doi.org/10.1145/1135777.1135884

Published: 23 May 2006 Publication History

Get Access

Abstract

Through a variety of means, including a range of browser cache methods and inspecting the color of a visited hyperlink, client-side browser state can be exploited to track users against their wishes. This tracking is possible because persistent, client-side browser state is not properly partitioned on per-site basis in current browsers. We address this problem by refining the general notion of a "same-origin" policy and implementing two browser extensions that enforce this policy on the browser cache and visited links.We also analyze various degrees of cooperation between sites to track users, and show that even if long-term browser state is properly partitioned, it is still possible for sites to use modern web features to bounce users between sites and invisibly engage in cross-domain tracking of their visitors. Cooperative privacy attacks are an unavoidable consequence of all persistent browser state that affects the behavior of the browser, and disabling or frequently expiring this state is the only way to achieve true privacy against colluding parties.

References

[1]

A. Clover. Css visited pages disclosure, 2002. http://seclists.org/lists/bugtraq/2002/Feb/0271.html.

Google Scholar

[2]

W. W. W. Consortium. P3P public overview, 2005. http://www.w3.org/P3P/.

Google Scholar

[3]

E. W. Felten and M. A. Schneider. Timing attacks on web privacy. In ACM Conference on Computer and Communications Security, pages 25--32, 2000.

Digital Library

Google Scholar

[4]

M. Jakobsson, T. Jagatic, and S. Stamm. Phishing for clues: Inferring context using cascading style sheets and browser history, 2005. http://www.browser-recon.info/.

Google Scholar

[5]

M. Jakobsson and A. Juels. The positive face of cache cookies, 2005.

Google Scholar

[6]

M. Jakobsson and S. Stamm. Invasive browser sniffing and countermeasures. Manuscript, 2005.

Google Scholar

[7]

D. Kristol and L. Montulli. RFC 2109: HTTP state management mechanism, Feb. 1997.

Digital Library

Google Scholar

[8]

Mozilla.org. Bugzilla bug 147777, 2002. https://bugzilla.mozilla.org/show_bug.cgi?id=147777.

Google Scholar

[9]

J. Nielsen. Change the color of visited links, 2004. http://www.useit.com/alertbox/20040503.html.

Google Scholar

[10]

J. Ruderman. The same origin policy, 2001. http://www.mozilla.org/projects/security/components/same-origin.html.

Google Scholar

[11]

A. Wolman, G. Voelker, N. Sharma, N. Cardwell, M. Brown, T. Landray, D. Pinnel, A. Karlin, and H. Levy. Organization-based analysis of web-object sharing and caching. In Proceedings of Second USENIX Symposium on Internet Technologies and Systems, pages 25--36, 1999.

Digital Library

Google Scholar

Cited By

View all

Liu XLi WHou QYang SYing LDiao WLi YGuo SDuan HChua TNgo CKa-Wei Lee RKumar RLauw H(2024)From Promises to Practice: Evaluating the Private Browsing Modes of Android Browser AppsProceedings of the ACM on Web Conference 202410.1145/3589334.3645320(1561-1572)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645320
Bhanwarlal Irfan Khan (2022)XSS and SQL Injection Detection and Prevention Techniques (A Review)International Journal of Scientific Research in Computer Science, Engineering and Information Technology10.32628/CSEIT22816(53-60)Online publication date: 2-Jan-2022
https://doi.org/10.32628/CSEIT22816
Jueckstock JSnyder PSarker SKapravelos ALivshits B(2022)Measuring the Privacy vs. Compatibility Trade-off in Preventing Third-Party Stateful TrackingProceedings of the ACM Web Conference 202210.1145/3485447.3512231(710-720)Online publication date: 25-Apr-2022
https://dl.acm.org/doi/10.1145/3485447.3512231
Show More Cited By

Index Terms

Protecting browser state from web privacy attacks

Recommendations

Exposing private information by timing web applications
WWW '07: Proceedings of the 16th international conference on World Wide Web

We show that the time web sites take to respond to HTTP requests can leak private information, using two different types of attacks. The first, direct timing, directly measures response times from a web site to expose private information such as ...
Security and identification indicators for browsers against spoofing and phishing attacks

In spite of the use of standard Web security measures (SSL/TLS), users enter sensitive information such as passwords into fake Web sites. Such fake sites cause substantial damages to individuals and corporations. In this work, we identify several ...
Cache Cookies for Browser Authentication (Extended Abstract)
SP '06: Proceedings of the 2006 IEEE Symposium on Security and Privacy

Like conventional cookies, cache cookies are data objects that servers store in Web browsers. Cache cookies, however, are unintentional byproducts of protocol design for browser caches. They do not enjoy any explicit interface support or security ...

Comments

Information & Contributors

Information

Published In

WWW '06: Proceedings of the 15th international conference on World Wide Web

May 2006

1102 pages

ISBN:1595933239

DOI:10.1145/1135777

General Chairs:
Leslie Carr
University of Southampton
,
David De Roure
University of Southampton
,
Arun Iyengar
IBM Research
,
Program Chairs:
Carole Goble
University of Manchester, UK
,
Mike Dahlin
University of Texas at Austin

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 23 May 2006

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

WWW06

Sponsor:

WWW06: The 15th International World Wide Web Conference 2006

May 23 - 26, 2006

Edinburgh, Scotland

Acceptance Rates

Overall Acceptance Rate 1,899 of 8,196 submissions, 23%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

111
Total Citations
View Citations
1,957
Total Downloads

Downloads (Last 12 months)46
Downloads (Last 6 weeks)3

Reflects downloads up to 26 Jul 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Liu XLi WHou QYang SYing LDiao WLi YGuo SDuan HChua TNgo CKa-Wei Lee RKumar RLauw H(2024)From Promises to Practice: Evaluating the Private Browsing Modes of Android Browser AppsProceedings of the ACM on Web Conference 202410.1145/3589334.3645320(1561-1572)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645320
Bhanwarlal Irfan Khan (2022)XSS and SQL Injection Detection and Prevention Techniques (A Review)International Journal of Scientific Research in Computer Science, Engineering and Information Technology10.32628/CSEIT22816(53-60)Online publication date: 2-Jan-2022
https://doi.org/10.32628/CSEIT22816
Jueckstock JSnyder PSarker SKapravelos ALivshits B(2022)Measuring the Privacy vs. Compatibility Trade-off in Preventing Third-Party Stateful TrackingProceedings of the ACM Web Conference 202210.1145/3485447.3512231(710-720)Online publication date: 25-Apr-2022
https://dl.acm.org/doi/10.1145/3485447.3512231
Gulmezoglu B(2022)XAI-Based Microarchitectural Side-Channel Analysis for Website Fingerprinting Attacks and DefensesIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2021.311714519:6(4039-4051)Online publication date: 1-Nov-2022
https://doi.org/10.1109/TDSC.2021.3117145
Mingsheng XChunxia LWenhui D(2022)Research and Development of Dual-Core Browser-Based Compatibility and Security2022 IEEE 8th International Conference on Computer and Communications (ICCC)10.1109/ICCC56324.2022.10065688(1697-1701)Online publication date: 9-Dec-2022
https://doi.org/10.1109/ICCC56324.2022.10065688
Koop MTews EKatzenbeisser S(2020)In-Depth Evaluation of Redirect Tracking and Link UsageProceedings on Privacy Enhancing Technologies10.2478/popets-2020-00792020:4(394-413)Online publication date: 17-Aug-2020
https://doi.org/10.2478/popets-2020-0079
WATANABE TSHIOJI EAKIYAMA MSASAOKA KYAGI TMORI T(2020)Follow Your Silhouette: Identifying the Social Account of Website Visitors through User-Blocking Side ChannelIEICE Transactions on Information and Systems10.1587/transinf.2019INP0012E103.D:2(239-255)Online publication date: 1-Feb-2020
https://doi.org/10.1587/transinf.2019INP0012
Skeirik SMeseguer JRocha C(2020)Verification of the IBOS Browser Security Properties in Reachability LogicRewriting Logic and Its Applications10.1007/978-3-030-63595-4_10(176-196)Online publication date: 11-Dec-2020
https://doi.org/10.1007/978-3-030-63595-4_10
Smith MDisselkoen CNarayan SBrown FStefan DRossow CYounan Y(2018)Browser history revisitedProceedings of the 12th USENIX Conference on Offensive Technologies10.5555/3307423.3307439(16-16)Online publication date: 13-Aug-2018
https://dl.acm.org/doi/10.5555/3307423.3307439
Weinberg ZCho SChristin NSekar VGill P(2018)How to Catch when Proxies LieProceedings of the Internet Measurement Conference 201810.1145/3278532.3278551(203-217)Online publication date: 31-Oct-2018
https://dl.acm.org/doi/10.1145/3278532.3278551
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

Exposing private information by timing web applications

Security and identification indicators for browsers against spoofing and phishing attacks

Cache Cookies for Browser Authentication (Extended Abstract)