Timing is Everything: the Importance of History Detection
2011 (English)In: Computer Security – ESORICS 2011: 16th European Symposium on Research in Computer Security, Leuven, Belgium, September 12-14,2011. Proceedings / [ed] Vijay Atluri, Claudia Díaz, Springer, 2011, 117-132 p.Conference paper (Refereed)
In this work, we present a Flow Stealing attack, where a victim's browser is redirected during a legitimate flow. One scenario is redirecting the victim's browser as it moves from a store to a payment provider. We discuss two attack vectors.
Firstly, browsers have long admitted an attack allowing a malicious web page to detect whether the browser has visited a target web site by using CSS to style visited links and read out the style applied to a link. For a long time, this CSS history detection attack was perceived as having small impact. Lately, highly efficient implementations of the attack have enabled malicious web sites to extract large amounts of information. Following this, browser developers have deployed measures to protect against the attack. Flow stealing demonstrates that the impact of history detection is greater than previously known.
Secondly, an attacker who can mount a man-in-the-middle attack against the victim's network traffic can also perform a flow stealing attack.
Place, publisher, year, edition, pages
Springer, 2011. 117-132 p.
, Lecture Notes in Computer Science, ISSN 0302-9743 ; 6879
CSS History Detection, Flow Stealing, Web Security
IdentifiersURN: urn:nbn:se:kth:diva-32423DOI: 10.1007/978-3-642-23822-2_7ISI: 000307366400007ScopusID: 2-s2.0-80053026930ISBN: 978-3-642-23821-5OAI: oai:DiVA.org:kth-32423DiVA: diva2:410601
16th European Symposium on Research in Computer Security, ESORICS 2011; Leuven; 12 September 2011 through 14 September 2011
QC 201104202011-04-142011-04-142013-04-19Bibliographically approved