Featured Research

from universities, journals, and other organizations

Standard Feature Of Web Browser Design Leaves Opening For Privacy Attacks

Date:
December 8, 2000
Source:
Princeton University
Summary:
Princeton computer scientists have discovered a trait of Web browser design that allows Web sites to cull private information about the recent browsing histories of visitors. While there is no evidence that any Web sites use such a snooping tactic, the researchers believe the method could pose serious risks to privacy.

Princeton, N.J. -- Princeton computer scientists have discovered a trait of Web browser design that allows Web sites to cull private information about the recent browsing histories of visitors.

While there is no evidence that any Web sites use such a snooping tactic, the researchers believe the method could pose serious risks to privacy. The technique is undetectable and defeats nearly all available privacy measures, although design changes in future browsers could reduce the problem.

Edward Felten, professor of computer science, and graduate student Michael Schneider described the technique in the proceedings of Association for Computing Machinery Conference on Computer and Communications Security, a major conference held Nov. 1-4 in Athens.

The researchers have dubbed the technique a "timing attack." It works by exploring the contents of the visiting browser's "cache" of recent activities, a log all browsers compile to increase their speed. In a timing attack, a Web site times how long it takes a browser to respond to queries about other sites. Company X.com, for example, could test how quickly visiting browsers are able to access information from competitor Y.com's site. A quick response indicates that the Web user recently visited Y.com. The test is very reliable, the researchers found.

Timing attacks could allow malicious Web site designers to create a more invasive form of Web "cookies," which are bits of data that Web sites store on visitors' browsers. Cookies are often used, for example, to allow a Web user to return to a password-restricted Web site without having to type in a password each time.

Felten and Schneider created a variation they call "cache cookies." Web sites could force a browser to store cache cookies without the permission required of normal cookies. (Web users have the option of instructing their browsers to reject conventional cookies.)

Any number of unrelated Web sites could then access these cache cookies and use them as a tool for learning whether a Web user has recently visited other Web sites. The scheme presents troubling opportunities to aggregate large amounts of information about Web users who do nothing more than visit sites.

"These qualities make cache cookies very dangerous to the privacy of Web users," the authors assert.

While no countermeasures would completely protect people from such invasion, the authors propose a method for redesigning browsers to prevent the majority of timing attacks. The redesign would employ a device called "domain tagging." It would allow information to be retrieved from the browser's cache of recently visited Web addresses only if the information pertains to the exact site the Web user is currently viewing.

Even that solution, however, is imperfect and does not prevent maliciously designed sites from inserting some forms of dummy addresses into a Web browser's cache and looking them up later.

Nonetheless, the researchers believe that domain tagging could work sufficiently well to assure Web users a reasonable level of privacy. "We think we understand what the solution is and we now are working to implement it," said Felten.

Felten said he felt compelled to publish a description of the potential problem to encourage positive discussion about resolving it. "We believed (timing attacks) would be discovered by other people before long and they would be used," he said. "You need to talk about a problem before it can be solved."


Story Source:

The above story is based on materials provided by Princeton University. Note: Materials may be edited for content and length.


Cite This Page:

Princeton University. "Standard Feature Of Web Browser Design Leaves Opening For Privacy Attacks." ScienceDaily. ScienceDaily, 8 December 2000. <www.sciencedaily.com/releases/2000/12/001208074325.htm>.
Princeton University. (2000, December 8). Standard Feature Of Web Browser Design Leaves Opening For Privacy Attacks. ScienceDaily. Retrieved October 22, 2014 from www.sciencedaily.com/releases/2000/12/001208074325.htm
Princeton University. "Standard Feature Of Web Browser Design Leaves Opening For Privacy Attacks." ScienceDaily. www.sciencedaily.com/releases/2000/12/001208074325.htm (accessed October 22, 2014).

Share This



More Computers & Math News

Wednesday, October 22, 2014

Featured Research

from universities, journals, and other organizations


Featured Videos

from AP, Reuters, AFP, and other news services

Internet of Things Aims to Smarten Your Life

Internet of Things Aims to Smarten Your Life

AP (Oct. 22, 2014) — As more and more Bluetooth-enabled devices are reaching consumers, developers are busy connecting them together as part of the Internet of Things. (Oct. 22) Video provided by AP
Powered by NewsLook.com
Thanks, Marty McFly! Hoverboards Could Be Coming In 2015

Thanks, Marty McFly! Hoverboards Could Be Coming In 2015

Newsy (Oct. 21, 2014) — If you've ever watched "Back to the Future Part II" and wanted to get your hands on a hoverboard, well, you might soon be in luck. Video provided by Newsy
Powered by NewsLook.com
Robots to Fly Planes Where Humans Can't

Robots to Fly Planes Where Humans Can't

Reuters - Innovations Video Online (Oct. 21, 2014) — Researchers in South Korea are developing a robotic pilot that could potentially replace humans in the cockpit. Unlike drones and autopilot programs which are configured for specific aircraft, the robots' humanoid design will allow it to fly any type of plane with no additional sensors. Ben Gruber reports. Video provided by Reuters
Powered by NewsLook.com
Japanese Scientists Unveil Floating 3D Projection

Japanese Scientists Unveil Floating 3D Projection

Reuters - Innovations Video Online (Oct. 20, 2014) — Scientists in Tokyo have demonstrated what they say is the world's first 3D projection that floats in mid air. A laser that fires a pulse up to a thousand times a second superheats molecules in the air, creating a spark which can be guided to certain points in the air to shape what the human eye perceives as an image. Matthew Stock reports. Video provided by Reuters
Powered by NewsLook.com

Search ScienceDaily

Number of stories in archives: 140,361

Find with keyword(s):
 
Enter a keyword or phrase to search ScienceDaily for related topics and research stories.

Save/Print:
Share:  

Breaking News:

Strange & Offbeat Stories

 

Space & Time

Matter & Energy

Computers & Math

In Other News

... from NewsDaily.com

Science News

Health News

Environment News

Technology News



Save/Print:
Share:  

Free Subscriptions


Get the latest science news with ScienceDaily's free email newsletters, updated daily and weekly. Or view hourly updated newsfeeds in your RSS reader:

Get Social & Mobile


Keep up to date with the latest news from ScienceDaily via social networks and mobile apps:

Have Feedback?


Tell us what you think of ScienceDaily -- we welcome both positive and negative comments. Have any problems using the site? Questions?
Mobile iPhone Android Web
Follow Facebook Twitter Google+
Subscribe RSS Feeds Email Newsletters
Latest Headlines Health & Medicine Mind & Brain Space & Time Matter & Energy Computers & Math Plants & Animals Earth & Climate Fossils & Ruins