Yahoo! crypto! queen! turns! security! code! into! evil! tracker!

HTTP Strict Transport Security isn't working as advertised or planned

20 Reg comments Got Tips?

Yahoo! crypto ace Yan Zhu has found twin attacks that allow websites to learn the web histories of visitors users by targeting HTTP Strict Transport Security (HSTS).

The timing attack, which works regardless of cookie clearing, was demonstrated on Firefox and Chrome last Sunday at the Toorcon security conference.

The attack allows malicious admins to track only the HSTS domains and subdomains rather than full URLs a user has visited which restricts the threat since most sites including major web operators have yet to adopt the lauded security measure.

It also does not work against Safari, Internet Explorer, or Chrome users on Apple devices.

Zhu also detailed how a website can abuse the certificate pinning browser security measure by serving a supercookie to users that can be later read by that site to determine visitor browser histories.

The hacker (@bcrypt) says the work is "unusual" for an author of privacy tools.

"These features are really hard to turn off," Zhu told the conference, adding that it could be further developed to reveal full user URL paths.

"If you are and you want to fingerprint users and you know that some other site is going to support HSTS … you can know wether a user has visited it and gotten the HSTS pin.

"A bad certificate chain will cause the browser reporting to fire a validation report which includes …. a supercookie."

The flaws have been reported to Google and Mozilla.

Zhu, who works on a series of cryptographic initiatives and with the Electronic Frontier Foundation created a proof-of-concept site to showcase the exploit, since dubbed "Sniffly".

Among the sites that can be determined includes the infamous Kick Ass Torrents piracy site, Reddit, and Kickstarter.

Users running the HTTPS Everywhere extension or an advertising blocker are a little safer since it throws false positives into the list of sites a user is supposed to have visited but those can be identified with up to 80 percent accuracy

Firefox security bods are said to be evaluating the attacks and brewing means to defeat it.

Zhu, who has asked us to refer to her as a "crypto witch", describes how Sniffly works on her blog:

A user's browser attempts to load images from various HSTS domains over HTTP which are harvested from a scrape of HSTS domains in the Alexa top one million.

Sniffly sets a content security policy (CSP) that restricts images to HTTP, so image sources are blocked before they are redirected to HTTPS. This is crucial, because if the browser completes a request to the HTTPS site, then it will receive the HSTS pin, and the attack will no longer work when the user visits Sniffly.

When an image gets blocked by CSP, its onerror handler is called. In this case, theonerror handler does some fancy tricks to semi-reliably time how long it took for the image to be redirected from HTTP to HTTPS. If this time is on the order of a millisecond, it was an HSTS redirect (no network request was made), which means the user has visited the image’s domain before. If it’s on the order of 100 milliseconds, then a network request probably occurred, meaning that the user hasn’t visited the image’s domain.

Zhu's slides are also available here (PDF). ®


Biting the hand that feeds IT © 1998–2020