Corpus ID: 32174538

One Side-Channel to Bring Them All and in the Darkness Bind Them: Associating Isolated Browsing Sessions

  title={One Side-Channel to Bring Them All and in the Darkness Bind Them: Associating Isolated Browsing Sessions},
  author={Tom van Goethem and Wouter Joosen},
Online tracking and fingerprinting is becoming increasingly more prevalent and pervasive. The privacy threats associated with these practices have given rise to a wide variety of privacy-enhancing solutions. However, as these solutions retroactively apply patches to existing browsers in an attempt to thwart potential attacks, it is of key importance that the complete threat surface is known such that all risks can be considered. In this paper we evaluate the browser’s threat surface with regard… Expand
Carnus: Exploring the Privacy Threats of Browser Extension Fingerprinting
This paper presents the first fully automated creation and detection of behavior-based extension fingerprints, and introduces two novel fingerprinting techniques that monitor extensions’ communication patterns, namely outgoing HTTP requests and intra-browser message exchanges. Expand
Fingerprinting in Style: Detecting Browser Extensions via Injected Style Sheets
A novel extension-fingerprinting vector showing how style modifications from browser extensions can be abused to identify installed extensions is presented and specific countermeasures against style fingerprinting that have minimal impact on the overall user experience are proposed. Expand
SoK: In Search of Lost Time: A Review of JavaScript Timers in Browsers
It is shown that the shift in protecting against transient execution attacks has re-enabled other attacks such as microarchitec-tural side-channel attacks with a higher bandwidth than what was possible just two years ago. Expand
The Web's Sixth Sense: A Study of Scripts Accessing Smartphone Sensors
It is found that popular tracking protection lists such as EasyList and Disconnect commonly fail to block most tracking scripts that misuse sensors and even privacy-focused browsers fail to implement mitigations suggested by W3C, which includes limiting sensor access from insecure contexts and cross-origin iframes. Expand
Web Privacy Measurement in Real-Time Bidding Systems. A Graph-Based Approach to RTB System Classification
It transpires that the interconnection between partners in an RTB network is caused by the data flows of the companies themselves due to their specializations in ad technology, and a Graph-Based Methodological Approach (GBMA) controls the situation of differences in consent implementations in European countries. Expand


PriVaricator: Deceiving Fingerprinters with Little White Lies
In PriVaricator the power of randomization is used to "break" linkability by exploring a space of parameterized randomization policies, and renders all the fingerprinters tested ineffective, while causing minimal damage on a set of 1000 Alexa sites on which they were tested. Expand
Cookieless Monster: Exploring the Ecosystem of Web-Based Device Fingerprinting
By analyzing the code of three popular browser-fingerprinting code providers, it is revealed the techniques that allow websites to track users without the need of client-side identifiers and how fragile the browser ecosystem is against fingerprinting through the use of novel browser-identifying techniques. Expand
The Web Never Forgets: Persistent Tracking Mechanisms in the Wild
The evaluation of the defensive techniques used by privacy-aware users finds that there exist subtle pitfalls --- such as failing to clear state on multiple browsers at once - in which a single lapse in judgement can shatter privacy defenses. Expand
(Cross-)Browser Fingerprinting via OS and Hardware Level Features
This paper proposes a browser fingerprinting technique that can track users not only within a single browser but also across different browsers on the same machine, and can achieve higher uniqueness rate than the only cross-browser approach in the literature with similar stability. Expand
User Tracking on the Web via Cross-Browser Fingerprinting
It is shown that a part of the IP address, the availability of a specific font set, the time zone, and the screen resolution are enough to uniquely identify most users of the five most popular web browsers, and that user agent strings are fairly effective but fragile identifiers of a browser instance. Expand
FPDetective: dusting the web for fingerprinters
The design, implementation and deployment of FPDetective, a framework for the detection and analysis of web-based fingerprinters, are reported on, showing that there needs to be a change in the way users, companies and legislators engage with fingerprinting. Expand
Fingerprinting Information in JavaScript Implementations
This paper identifies two new avenues for browser fingerprinting, one of which subverts the whitelist mechanism of the popular NoScript Firefox extension, which selectively enables web pages’ scripting privileges to increase privacy by allowing a site to determine if particular domains exist in a user's NoScript whitelist. Expand
Timing attacks on Web privacy
A way of reengineering browsers to prevent most of these attacks, which allow a malicious Web site to determine whether or not the user has recently visited some other, unrelated Web page by measuring the time the user’s browser requires to perform certain operations. Expand
The Clock is Still Ticking: Timing Attacks in the Modern Web
It is shown that modern browsers expose new side-channels that can be used to acquire accurate timing measurements, regardless of network conditions, and it is demonstrated that the nature of the attacks renders traditional defenses, i.e., those based on randomly delaying responses, moot. Expand
Detecting and Defending Against Third-Party Tracking on the Web
This work develops a client-side method for detecting and classifying five kinds of third-party trackers based on how they manipulate browser state, and finds that no existing browser mechanisms prevent tracking by social media sites via widgets while still allowing those widgets to achieve their utility goals, which leads to a new defense. Expand