Timing Is Everything: The Importance of History Detection
Identifieur interne : 000B36 ( Main/Exploration ); précédent : 000B35; suivant : 000B37Timing Is Everything: The Importance of History Detection
Auteurs : Gunnar Kreitz [Suède]Source :
- Lecture Notes in Computer Science [ 0302-9743 ] ; 2011.
Abstract
Abstract: In this work, we present a Flow Stealing attack, where a victim’s browser is redirected during a legitimate flow. One scenario is redirecting the victim’s browser as it moves from a store to a payment provider. We discuss two attack vectors. Firstly, browsers have long admitted an attack allowing a malicious web page to detect whether the browser has visited a target web site by using CSS to style visited links and read out the style applied to a link. For a long time, this CSS history detection attack was perceived as having small impact. Lately, highly efficient implementations of the attack have enabled malicious web sites to extract large amounts of information. Following this, browser developers have deployed measures to protect against the attack. Flow stealing demonstrates that the impact of history detection is greater than previously known. Secondly, an attacker who can mount a man-in-the-middle attack against the victim’s network traffic can also perform a flow stealing attack. Noting that different browsers place different restrictions on cross-frame navigation through JavaScript window handles, we suggest a stricter policy based on pop-up blockers to prevent Flow Stealing attacks.
Url:
DOI: 10.1007/978-3-642-23822-2_7
Affiliations:
Links toward previous steps (curation, corpus...)
- to stream Istex, to step Corpus: 000874
- to stream Istex, to step Curation: 000874
- to stream Istex, to step Checkpoint: 000091
- to stream Main, to step Merge: 000B36
- to stream Main, to step Curation: 000B36
Le document en format XML
<record><TEI wicri:istexFullTextTei="biblStruct"><teiHeader><fileDesc><titleStmt><title xml:lang="en">Timing Is Everything: The Importance of History Detection</title><author><name sortKey="Kreitz, Gunnar" sort="Kreitz, Gunnar" uniqKey="Kreitz G" first="Gunnar" last="Kreitz">Gunnar Kreitz</name></author></titleStmt><publicationStmt><idno type="wicri:source">ISTEX</idno><idno type="RBID">ISTEX:88A09E0307CBFB112F614E207BF1D2525EE2E450</idno><date when="2011" year="2011">2011</date><idno type="doi">10.1007/978-3-642-23822-2_7</idno><idno type="url">https://api.istex.fr/document/88A09E0307CBFB112F614E207BF1D2525EE2E450/fulltext/pdf</idno><idno type="wicri:Area/Istex/Corpus">000874</idno><idno type="wicri:Area/Istex/Curation">000874</idno><idno type="wicri:Area/Istex/Checkpoint">000091</idno><idno type="wicri:doubleKey">0302-9743:2011:Kreitz G:timing:is:everything</idno><idno type="wicri:Area/Main/Merge">000B36</idno><idno type="wicri:Area/Main/Curation">000B36</idno><idno type="wicri:Area/Main/Exploration">000B36</idno></publicationStmt><sourceDesc><biblStruct><analytic><title level="a" type="main" xml:lang="en">Timing Is Everything: The Importance of History Detection</title><author><name sortKey="Kreitz, Gunnar" sort="Kreitz, Gunnar" uniqKey="Kreitz G" first="Gunnar" last="Kreitz">Gunnar Kreitz</name><affiliation><wicri:noCountry code="subField"> </wicri:noCountry></affiliation><affiliation wicri:level="1"><country wicri:rule="url">Suède</country></affiliation></author></analytic><monogr></monogr><series><title level="s">Lecture Notes in Computer Science</title><imprint><date>2011</date></imprint><idno type="ISSN">0302-9743</idno><idno type="eISSN">1611-3349</idno><idno type="ISSN">0302-9743</idno></series><idno type="istex">88A09E0307CBFB112F614E207BF1D2525EE2E450</idno><idno type="DOI">10.1007/978-3-642-23822-2_7</idno><idno type="ChapterID">Chap7</idno><idno type="ChapterID">7</idno></biblStruct></sourceDesc><seriesStmt><idno type="ISSN">0302-9743</idno></seriesStmt></fileDesc><profileDesc><textClass></textClass><langUsage><language ident="en">en</language></langUsage></profileDesc></teiHeader><front><div type="abstract" xml:lang="en">Abstract: In this work, we present a Flow Stealing attack, where a victim’s browser is redirected during a legitimate flow. One scenario is redirecting the victim’s browser as it moves from a store to a payment provider. We discuss two attack vectors. Firstly, browsers have long admitted an attack allowing a malicious web page to detect whether the browser has visited a target web site by using CSS to style visited links and read out the style applied to a link. For a long time, this CSS history detection attack was perceived as having small impact. Lately, highly efficient implementations of the attack have enabled malicious web sites to extract large amounts of information. Following this, browser developers have deployed measures to protect against the attack. Flow stealing demonstrates that the impact of history detection is greater than previously known. Secondly, an attacker who can mount a man-in-the-middle attack against the victim’s network traffic can also perform a flow stealing attack. Noting that different browsers place different restrictions on cross-frame navigation through JavaScript window handles, we suggest a stricter policy based on pop-up blockers to prevent Flow Stealing attacks.</div></front></TEI><affiliations><list><country><li>Suède</li></country></list><tree><country name="Suède"><noRegion><name sortKey="Kreitz, Gunnar" sort="Kreitz, Gunnar" uniqKey="Kreitz G" first="Gunnar" last="Kreitz">Gunnar Kreitz</name></noRegion></country></tree></affiliations></record>Pour manipuler ce document sous Unix (Dilib)
EXPLOR_STEP=$WICRI_ROOT/Wicri/Musique/explor/OperaV1/Data/Main/Exploration
HfdSelect -h $EXPLOR_STEP/biblio.hfd -nk 000B36 | SxmlIndent | more
Ou
HfdSelect -h $EXPLOR_AREA/Data/Main/Exploration/biblio.hfd -nk 000B36 | SxmlIndent | more
Pour mettre un lien sur cette page dans le réseau Wicri
{{Explor lien
|wiki= Wicri/Musique
|area= OperaV1
|flux= Main
|étape= Exploration
|type= RBID
|clé= ISTEX:88A09E0307CBFB112F614E207BF1D2525EE2E450
|texte= Timing Is Everything: The Importance of History Detection
}}
| This area was generated with Dilib version V0.6.21. |  |